Security, et al

Randy's Blog on Infosec and Other Stuff

«  Non Security: CRM Dynamic... | Virtualization Security: ... »

BitLocker Notes on Backing Up Recovery Keys to Active Directory (AD)

Wed, 21 Dec 2011 14:21:18 GMT

Was just messing with BitLocker today.  I enabled BitLocker on a Win7 computer that is a member of a domain but before configuring group policy to require BitLocker recovery keys to be backed up to AD before locking the drive.

So I enabled the "Store BitLocker recovery information in Active Directory Domain Services" policy.  I forced a group policy refresh on that PC.   Then I went to my domain controller (win2008r2) and opened that computer account. First problem: no BitLocker tab on the computer account's properties dialog.  Had to open Server Manager and add the BitLocker Recovery Password Viewer under Add Features, Remote Server Administration Tools, Feature Administration Tools, BitLocker...

OK, after that the BitLocker tab showed up but nothing had been backed up.  If you miss requiring backup to AD when you first enable BitLocker it will never happen unless you explicitly tell Windows to with manage-bde.

So after LOTS of horsing around with manage-bde and figuring out all the really bad documentation errors on Technet and in the command line help I figured out I had to run "manage-bde -protectors -adbackup C: -ID {GUID}".  To figure out the GUID I had to run "manage-bde -protectors -get c:".

Now, the BitLocker tab on this computer's account in AD properly shows the recovery password and it's ID.

email this digg reddit dzone
comments (0)references (0)

Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Comments disabled

powered by Bloget™


Recent Blogs


Additional Resources