Bitlocker To AD

BitlockerSCCM
Written By BOZ
Context -
After management noticed the SQL /MBAM costs combined with our goal to detach from the EA; a plan was devised to cut cost and maintain a repository for Bitlocker recovery information.

posted May 23, 2016, 10:28 AM 

This process was developed to address the removal of MBAM from notebook systems in an effort to save a considerable amount of $$$.  Some of the hurdles with this project are insuring that we meet our deadline and minimize interruptions to the user.  Based on this criteria we decided to remain with Bitlocker.  We do so by removing the administrative layer which is MBAM.  Your next question is how do we manage / provide the recovery key?  This will be accomplished by saving the key in AD which will be accessible by FIT in ADUC.  

Process Summary

  • Determine VPN connectivity

  • Uninstall MBAM

  • Remove computer from MBAM group

  • Force group policy update (Remove MBAM policy)

  • Add computer to BL2AD group (Add Bitlocker policy)

  • Suspend Bitlocker

  • Force group policy update

  • Build numeric password ID

  • Restart

  • Send recovery key to AD

  • Resume Bitlocker

  • Verify recovery key transmission to AD. (If this fails, local FIT will get an email identifying the user and computer in order to investigate).

Advisory

  • Deployment to one of these groups will generate a reboot, so plan accordingly.  Start with one system initially and expand after u have verified the process.

  • This is designed to be deployed to VPN users as well.  Keep in mind that a majority of offline users do not connect over the VPN, so its highly likely these systems maybe out of CM and or DNS.  Take a moment to make sure their systems check out  / update if necessary before proceeding.  Keep in mind that these users are the most at risk since they may rarely visit a plant.  Its important that u make sure their systems have no issues.

  • Some systems that regularly connect to the domain are subject to issues as well.  These are usually DNS and Group Policy will not update.  No Group Policy=No Bitlocker 2 AD.

  • In the event of a failure be sure to review the FAQ (below) on the blog to see if any of these topics are applicable. Your feedback may help others.

Deployment

The process is initiated by adding a system to a Group.  Below is an example of a Site Group.  This will generate a Reboot on the client so plan accordingly.

HSV1AMCM12W01 - Remote Desktop Connection Manager v2.7 2016-05-23 09.53.30.png

Once the computer object has been discovered, the Task Sequence will appear in the Software Center and begin installing.  In the event of an error u can restart the process.

DFW1AMNB241304 - Remote Desktop Connection Manager v2.7 2016-05-23 09.59.32.png

Initialization

2020-05-15_11-30-02.png

Restart (15 minutes)

restart.png

Final Processing

2020-05-15_11-41-24.png

Post Install (FIT Systems Only)

At this point we need to navigate to the Application Catalog.  Select the IT category and install the Bitlocker Password Recovery Viewer.

appcatbiviewer1.png

This will allow you to open ADUC and see the Recovery Key.

aducrecov.png

FAQ

Q - I received the following email, what should I do?

notif.png

Let me begin by saying this is a serious issue.  We do not want to lose track of the recovery key.  I have seen several instances where this has happened and the only answer to this problem is going to be, "I hope you have a recent backup".  Log into the machine and check the event logs.  Select the System Event Log and filter by event source Bitlocker-API.

eventlog.png

This will reveal something similar to the following.  513 is Success / 514 is Fail / 515 is Already Exists.

bleventcoodes.png

Q - OK so I checked the event log and filtered by the event source Bitlocker-API however there remains a problem.  What to do?

A - Verify Group Policy got applied by doing a gpresult /h results.html /f

If the computer is a member of BL2AD_G but does not show in the Applied GPO's, try a gpupdate / force and restart.

  At this point you need to review your system for any potential network and or domain issues.  In the event everything checks out u can open an Elevated Command Prompt and execute the following to get the Numerical Password ID.

manage-bde1.png

  Next type the following with the ID you captured earlier.

manage-bde2.png

  And as always verify the process by opening ADUC.

aducrecov.png

Q - I opened ADUC and noticed that there are 2 recovery keys.  How did this happen and what do I do?

Duplicates.png

A - This means that someone forgot to delete their machine from ADUC prior to re-imaging.  This can be corrected by opening ADUC and changing the view.

Container.png

Navigate to your system and delete the one with the Oldest date.

Delete1.png
confirmation.png

Q - What about the TPM Owner Password in the event of a lockout?

A - Capture of the TPM Owner Password will fall into phase 2 of this deployment.  In the event you do experience a TPM lockout, you can use the Recovery Key to proceed.

Q - How will this new process work during imaging.  Do we select Bitlocker?

A - Yes you will select Bitlocker moving forward.  This will also allow us to Pre-Provision Bitlocker so that it is encrypted before you ever touch it.

Q - Is there a self service portal we can direct users to?

A - There is no portal at this time.

Q - Will we get weekly reports identifying notebook systems that are not using Bitlocker and or missing a Recovery Key?

A - Yes these we be delivered shortly after the initial deployment.

Q - Will other FIT sites be able to read Recovery Keys for the systems that I manage?

A - Only if they are a member of your <Site>_FIT_G group.

Q - I am unable to install the Bitlocker Password Recovery Viewer through the Application Catalog.  What are my options?

A - From run or the command line type Appwiz.cpl / Programs and Features.  Add the following:

ManualBPRV.png

Q - Are there any reports we can reference to see status?

A -  Select the following:

Reporting.png
reporting2.png

Q - What are the Group Policy settings for Bitlocker?

A - Reference the graphic below.

GP2.png

Q - I seem to be experiencing difficulty with the process for VPN users.  Is there manual steps to follow?

A - Follow the order below:

  1. Uninstall MBAM

    1. 32 - MsiExec.exe /X{CFBFD28C-654B-4E23-B61E-6160491375A6} /quiet /norestart (elevated cmd prompt)

    2. 64 - MsiExec.exe /X{7B5ABC68-4641-4CEF-BD5B-E30407CF2B2C} /quiet /norestart (elevated cmd prompt)

  2. Remove computer from MBAM_System_Encryption_G

  3. Add computer to BL2AD_G

  4. gpupdate /target:computer /force /wait:0 (elevated cmd prompt)

  5. manage-bde -protectors -disable c: (elevated cmd prompt)

  6. manage-bde -protectors -get C: -Type recoverypassword > C:\windows\temp\NPID.txt" (elevated cmd prompt)

  7. Reboot

  8. Reconnect to VPN

  9. ipconfig /flushdns (elevated cmd prompt)

  10. net stop nlasvc /yes (elevated cmd prompt)

  11. net start netprofm /yes (elevated cmd prompt)

  12. gpupdate /target:computer /force /wait:0

  13. Verify group policy is applied for BL2AD and denied for MBAM by doing a gpresult /h filename.html /f.  Check applied and denied GP.

  14. Open txt file at c:\windows\temp\npid.txt / copy the numeric password id

  15. manage-bde -protectors -adbackup c: -id {Numeric Password ID Goes Here} (elevated cmd prompt)

  16. Verify process was successful from message returned on CMD prompt display.

  17. Verify u can see the key in AD with the Bitlocker Password Recovery Viewer

  18. manage-bde -protectors -enable c: (elevated cmd prompt)

BOZ
Previous

Dell...The 80's / Win 10
Next

EndPoint Protection Status