Shaking BitLocker – Backup keys to AD and play around

I have come across many scenarios where people have their BitLocker Information in AD, and then different funny situation happened along the way that i want to talk about in this blog post.

Problems

Case 1 : What will happen if you rejoin a BitLocker protected computer to the domain

Case 2 : Renaming a computer which has BitLocker

Case 3 : Computer was used by user1, user1 resigned, so you reset his computer account in AD, reformatted the machine, join it to domain and re-enabled BitLocker on it

Case 4 : deleting computer which has BitLocker from AD

Case 5 : Enabling BitLocker before joining the machine to the domain

Case 6 : divergence happened, you have a domain joined machine with BitLocker enabled, and in AD you do not have recovery information for that computer.

Moving to a New Blog Platform

This post is now moved to my new blog platform at https://blog.ahasayen.com. To continue reading this blog post, please click here

https://blog.ahasayen.com/bitlocker-tips-and-tricks/

Recover BitLocker keys from Recycle Bin !

 Problem

 You have AD with Recycle Bin enabled.

You are storing BitLocker recovery keys in AD

You have deleted a computer object with BitLocker Recovery information on it

You then restored that computer account from recycle bin.

No BitLocker Recovery information exists on the recovered computer object !!!!! What the heck ?!

Reason

Going back to basics…. do you know where the BitLocker information is stored for a computer object ? They are stored as a child object below the computer object itself.

Now, when the computer get deleted from Active Directory and moved to the AD recycle bin, the links between the child objects and the parent are broken. In the AD recycle bin you will see both computer objects and child objects randomly stored there. If you put your hand in this recycle bin and pull a computer object, you will not see any of its child objects attached to it any more. This is exactly what happened when you restored the AD computer from recycle bin, you will get the computer object without its child objects.

Solution

Lucky for all of us, each child objects of type (BitLocker Recovery Information) will have an attribute called (lastKnownParent). So theoretically if you go to the recycle bin and asked ” i have a parent called ComputerX, so which of you guys are the sons of this computer (which of you has the lastknownParent = ComputerX).

Download Script

Go to your Domain Controller or any machine with ActiveDirectory PowerShell Module, open PowerShell using a domain administrator account (only domain admin can restore from AD recycle bin), run the script from there. Make sure AD PowerShell module exist on that machine.

Do not forget that you may need to run Set-ExecutionPolicy Unrestricted on PowerShell to allow script execution.

I have no single credit writing this script. You can find the script here written by (Norman Bauer). I copied the script also to my repository so you can download it directly .

Download the script  http://sdrv.ms/1axvqS4

How does the script work

• It will ask you about the name of computer to restore
• Validation check : checking if that computer exists in AD first
• If not, then the computer may be in recycle bin, search there and report if it is not there also ($deleted = Get-ADObject -IncludeDeletedObjects -Filter {sAMAccountName -eq $computername -and Deleted -eq $True}
• If the computer in recycle bin, we will going to restore it ($deleted | Restore-ADObject)
• Then we will search the recycle bin for child objects that have LastKnownParent equals the DistinguishedName for the restored computer ($recoveryinfos = Get-ADObject -IncludeDeletedObjects -Filter {lastKnownParent -eq $restoredobject.DistinguishedName -and Deleted -eq $True -and objectClass -eq ‘msFVE-RecoveryInformation’})
• If found, for each child object ForEach($recoveryinfo in $recoveryinfos) we are going to  $recoveryinfo | Restore-ADObject

BitLocker User Guide Policy

One of the most important things when you decide to roll out BitLocker at your corporate, is simply communicating this to your business users. Not only they deserve to know about encryption on their laptops, they should be aware of this encryption and need to know what to do when for example they forget the start-up PIN. They should also be aware not to share or write down the BitLocker start-up PIN if any, and that they shall not disable encryption on their machines if they have administrative rights.

Prepare your organization for BitLocker: Planning and Policies

Getting back to my lovely Contoso corporation, the IT guys there decided to communicate the enrollment for BitLocker on Laptops and use a combination of TPM and start-up PIN. The BitLocker User Guide contains the following sections :

• What is BitLocker?
• Will I notice a difference?
• How BitLocker works?
• Creating your pin
• Changing the PIN
• What if I forget my PIN?
• Protecting Data drives with BitLocker
• Protecting USB drives with BitLocker
• Standby Mode (Sleep Option)
• Will BitLocker effect performance of my laptop?
• Removing BitLocker protection Policy

 

Download  Contoso BitLocker User Guide

BitLocker Killer Mistake

Assumptions

You have BitLocker deployment where you backup your BitLocker recovery key to Active Directory.

The wrong thing

When you format a computer, you go to AD, delete the computer account, and create a new one, then you join the formatted machine to domain! Killer mistake indeed!!!

The right thing

When you format a computer, you go to AD, (RESET THE COMPUTER ACCOUNT) , and then join the formatted machine to machine!

 What can go wrong if I delete computer account

When you enable BitLocker on a computer drive, the machine will write BitLocker Recovery information on the computer account in AD. So if you delete a computer account, you will delete all BitLocker recovery information. Instead resetting computer account will not.

Common Mistake Scenario

A computer with C and D drive with BitLocker enabled on both of them. You backed up everything in the C drive and since the C drive is big enough, you decided to keep the D and only format the C drive.

You start installing Windows 8 for example on the C drive, you deleted the computer account from AD, and then you created a new one. Then you join the machine to domain, and enable BitLocker on the C drive.

Now you noticed the D drive is encrypted. You went to AD to find a recovery information for that drive. BOOOOM!!! no recovery information since you deleted the computer account and created a new one. Good luck with that.

Remember to always reset computer accounts instead of the old habit of deleting them

BitLocker PowerShell Script Backup Encrypted Keys (How and Why)

BitLocker is a great out of the box encryption tool for disk volumes. If you read about this technology, you realize that the most challenging part is the disk recovery key and how to maintain/backup it.

Well, Microsoft did a great job documenting different ways for doing that. One of those methods is to backup keys to Active Directory. Simple and easy, even you can control this behavior via Group Policies.

Problem

Let me describe the problem with BitLocker AD Key Backup and Recovery

Now, Imagine that you enabled BitLocker key recovery in Active Directory. This will simply create an entry per volume on a specific multi value attribute in the computer object.

Now, suppose that you have deleted the computer object from AD.

Or think about this scenario : The computer has C drive with O.S and D drive for data, both are bitlocker encrypted. You decided to format the C drive and join it again to the domain, so you format the C drive, delete the computer object AD, so you could join it to the domain again. Now think about the recovery key for the D drive in this scenario !!!!! It is lost when you deleted the computer object.

Bad things happen and believe me that you will always find your self in a situation where computer objects get deleted, even as part of organized cleanup process.

You will end up, getting back to AD restore or AD recycle bin, and believe they are not that easy to deal with.

Solution !!!

I have created a simple script that needs only read access to Computer objects and to BitLocker Recovery Information.

(Read this blog for information about how to delegate permissions to read BitLocker Information)

Now here is the script that will go to all computer objects in your Active Directory, and create a nice CSV file for you with all recovery keys for all BitLocker Computers. You can schedule it to run daily and you can keep those CSV for a month and then automatically delete the oldest.

This way, you will have a solid place to go to when some one deleted a computer object and you need the BitLocker Recovery Key. Believe me , this helped me a lot.

Note : The machine from which the script will run, should have Quest Active Directory PowerShell command. You can download it from here  http://www.quest.com/powershell/activeroles-server.aspx

Script Output

CSV File with Object Name, Computer Name, and other attributes. The most ipmortant one is the (Recovery Password) field. This is the one that you can use to unlock BitLocker volume.

Download the script 

You can download the script from here Get-ADBitLockerInfo

Examples

.EXAMPLE

 Collect information from the whole directory and save the output CSV file to C:\Scripts

.\Get-ADBitLockerInfo.ps1 $filepath C:\scripts

.EXAMPLE

 Collect information from the whole directory and save the output CSV file current directory

.\Get-ADBitLockerInfo.ps1 $filepath .\

.EXAMPLE

 Collect information from computers under a certain AD Organizational Unit (OU), and save the output CSV file to C:\Scripts

.\Get-ADBitLockerInfo.ps1 $filepath C:\scripts -OrganizationalUnit “OU=LON,DC=CONTOSO,DC=COM”