Shaking BitLocker – Backup keys to AD and play around

I have come across many scenarios where people have their BitLocker Information in AD, and then different funny situation happened along the way that i want to talk about in this blog post.

Problems

Case 1 : What will happen if you rejoin a BitLocker protected computer to the domain

Case 2 : Renaming a computer which has BitLocker

Case 3 : Computer was used by user1, user1 resigned, so you reset his computer account in AD, reformatted the machine, join it to domain and re-enabled BitLocker on it

Case 4 : deleting computer which has BitLocker from AD

Case 5 : Enabling BitLocker before joining the machine to the domain

Case 6 : divergence happened, you have a domain joined machine with BitLocker enabled, and in AD you do not have recovery information for that computer.

Solutions

Case 1,2

if you rename a computer which has BitLocker already turned ON, or If you re-join a BitLocker Encrypted machine, to the domain , nothing will happen to the BitLocker recovery information in Active Directory. You can still see them. (Reference)

Case 3 :

Since the computer object was reset, and not deleted (recommended way), then you will see accumulative BitLocker information under the computer object for the volume encryption keys when the machine was owned by user1, and the volume recovery keys after the format. Nothing bad about this from my point of view.

To know more about why you should always reset computer accounts instead of deleting them, check this post (BitLocker Killer Mistakes)

Case 4 :

If you delete computer object that has BitLocker information on it, then both the computer object and the BitLocker recovery information are moved to the AD recycle Bin if you enable AD recycle bin. Nevertheless, the links between the computer object and the child objects are broken (check this post to know why and how to restore both)

Case 5 , 6 :

Enabling BitLocker before joining the machine to the domain, means that the BitLocker recovery keys for that machine are not stored in Active Directory and this is very dangerous and risky.

This also can happen if BitLocker was enabled and there was no network connectivity to the domain at that moment. Another possibility is that group policy settings to save recovery information to AD was not enabled at the time of encryption.

To ask your machine to backup its recovery keys to Active Directory , do the following steps for each encrypted volume on the machine :

  • Go to that machine, open CMD using elevated admin rights

Type :   manage-bde -protectors -get c:

This command will show you the BitLocker Protectors for the C drive.

  • Search for the Numerical Password item, and copy the ID value. In the below screen shot, the ID value is {21E15846-E03B-4D01-9B98-58A662586947}. This represents the ID of the value that we want to backup to AD. The value it self exist in the Password field. I have hide that field from the screenshot for privacy reasons. Anyway, we only need the ID value.

BitLocker_Recovery_Keys_234s322

  • Now run this command:

manage-bde -protectors -adbackup c: -id {21E15846-E03B-4D01-9B98-58A662586947}

  • Repeat this for all BitLocker drives.
  • To verify that the BitLocker information are now backed up under the computer object in AD, download the (BitLocker Recovery Password Viewer)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s