BitLocker puzzle

[Kurt Buff]

I'm trying to make it a bit easier for the helpdesk, and have configured the GPO as below, and can't make scripting work the way I think it should. I wanted them to be able to run a quick script, potentially as a one time startup script while in a deployment OU, rather than manually opening the GUI and having to navigate to a network share to drop the text file containing the password/recovery key.

Using the GPO settings below, if I the GUI, then encryption starts and the info is saved to AD.

However, if I execute the these commands:

$vol = Get-BitLockerVolume -MountPoint C:
Enable-BitLocker -MountPoint $vol -EncryptionMethod XtsAes128 -SkipHardwareTest -TpmProtector

The drive encrypts, but doesn't update Active Directory, and it doesn't prompt for a file location for the password/recovery key, which seems less than optimal.

If I enable the highlighted GPO setting and then execute the above commands, I get an error:

Enable-BitLockerInternal : Group Policy settings require that a recovery password be specified before encrypting the drive. (Exception from HRESULT: 0x8031002C)

From my reading, it looks as if the only way to make this work is to specify "-RecoveryPassword", which doesn't fit my plan at all.

Am I comprehending this correctly? If I am, it seems as if them bringing up the GUI and initiating encryption will work just fine, but it would be nice to automate it better - but at least in that case it won't prompt them for a file location on a restricted share to save the info.

Kurt

Group policy settings for BitLocker (no MBAM or other management tools):

Windows Components/BitLocker Drive Encryption/Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Enabled
Windows Components/BitLocker Drive Encryption/Select the encryption method for operating system drives: XTS-AES 128-bit (default)
Windows Components/BitLocker Drive Encryption/Select the encryption method for fixed data drives: XTS-AES 128-bit (default)
Windows Components/BitLocker Drive Encryption/Select the encryption method for removable data drives: AES-CBC 128-bit (default)
Windows Components/BitLocker Drive Encryption/Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)/Require BitLocker backup to AD DS: Enabled
Windows Components/BitLocker Drive Encryption/Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)/Select BitLocker recovery information to store: Recovery passwords and key packages
Windows Components/BitLocker Drive Encryption/Operating System Drives/Choose how BitLocker-protected operating system drives can be recovered/Allow data recovery agent: Enabled
Windows Components/BitLocker Drive Encryption/Operating System Drives/Choose how BitLocker-protected operating system drives can be recovered/Configure user storage of BitLocker recovery information: Allow 48-digit recovery password
Windows Components/BitLocker Drive Encryption/Operating System Drives/Choose how BitLocker-protected operating system drives can be recovered/Configure user storage of BitLocker recovery information: Allow 256-bit recovery key
Windows Components/BitLocker Drive Encryption/Operating System Drives/Choose how BitLocker-protected operating system drives can be recovered/Omit recovery options from the BitLocker setup wizard: Enabled
Windows Components/BitLocker Drive Encryption/Operating System Drives/Choose how BitLocker-protected operating system drives can be recovered/Save BitLocker recovery information to AD DS for operating system drives: Enabled
Windows Components/BitLocker Drive Encryption/Operating System Drives/Choose how BitLocker-protected operating system drives can be recovered/Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages

Windows Components/BitLocker Drive Encryption/Operating System Drives/Choose how BitLocker-protected operating system drives can be recovered/Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: Disabled
Windows Components/BitLocker Drive Encryption/Operating System Drives/Enforce drive encryption type on operating system drives: Enabled
Windows Components/BitLocker Drive Encryption/Operating System Drives/Set which software is allowed to generate the Secure Attention Sequence: Full Encryption

[Michael B. Smith]

Quoting:

 

    It is common practice to add a recovery password to an operating system volume by using the

    Add-BitLockerKeyProtector cmdlet, and then save the recovery password by using the Backup-BitLockerKeyProtector

    cmdlet, and then enable BitLocker for the drive. This procedure ensures that you have a recovery option.

 

I think this is what the GUI does for you.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6bwNU4%2BpcnLF654W2%2BBai%3DSmBTQXsvN%3Dvx2kbYRaxChA%40mail.gmail.com.

[Kurt Buff]

Interesting!

You are absolutely correct.

I did a bit more searching, and found this article:
https://social.technet.microsoft.com/Forums/en-US/656b5803-2f76-4957-afd1-63c7759e86fb/backupbitlockerkeyprotector-doesnt-return-any-error-even-if-it-fails?forum=mdopmbam

The script at the bottom of the page helped quite a bit.

I'll massage that a bit and turn it into a startup script in our deployment OU.

Thanks for the hint.

Kurt


Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/0bd62e2b7581406997fc8830e7a580e3%40smithcons.com.

[Markus Klocker]

You also can configure backup the recovery key in AD.
We do that and are happy with it.