Security, et al

Randy's Blog on Infosec and Other Stuff

«  Non Security: CRM Dynamic... | Virtualization Security: ... »

BitLocker Notes on Backing Up Recovery Keys to Active Directory (AD)

Wed, 21 Dec 2011 14:21:18 GMT

Was just messing with BitLocker today.  I enabled BitLocker on a Win7 computer that is a member of a domain but before configuring group policy to require BitLocker recovery keys to be backed up to AD before locking the drive.

So I enabled the "Store BitLocker recovery information in Active Directory Domain Services" policy.  I forced a group policy refresh on that PC.   Then I went to my domain controller (win2008r2) and opened that computer account. First problem: no BitLocker tab on the computer account's properties dialog.  Had to open Server Manager and add the BitLocker Recovery Password Viewer under Add Features, Remote Server Administration Tools, Feature Administration Tools, BitLocker...

OK, after that the BitLocker tab showed up but nothing had been backed up.  If you miss requiring backup to AD when you first enable BitLocker it will never happen unless you explicitly tell Windows to with manage-bde.

So after LOTS of horsing around with manage-bde and figuring out all the really bad documentation errors on Technet and in the command line help I figured out I had to run "manage-bde -protectors -adbackup C: -ID {GUID}".  To figure out the GUID I had to run "manage-bde -protectors -get c:".

Now, the BitLocker tab on this computer's account in AD properly shows the recovery password and it's ID.

email this digg reddit dzone
comments (0)references (0)

Related:
Automating Review and Response to Security Events
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
New Features in LogRhythm 4.0 Deserve a Place on Your Short List
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…

Comments disabled

powered by Bloget™