Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Looking for advice on Bitlocking mobile windows devices with Domain recovery agent.

Posted on 2014-09-24
22
Medium Priority
?
155 Views
Last Modified: 2014-10-31
I have a 2008 functional level domain, we'd like to enable BitLocker on all Windows laptops backing up the passwords and recovery info to AD DS, and requiring TPM + PIN.  It'd be awesome if we could push this out via GPO as well.

I've done limited tests in with a few vm's and a couple physical laptops with little success.  Looking for any advice, tips/tricks, etc.

All laptop OS's are Win7 Enterprise, and all hardware has supporting TPM on-board.
0
Comment
Question by:Ben Hart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
22 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 40342477
Hi again.

It would be nice to see what you did and what didn't succeed.
The process is documented at Microsoft's Technet on various sites and I am pretty sure a TPM-based bitlocker "rollout" will run pretty well, though I never did one, I used it on win8.1 and not with TPM but with passwords (which is not possible on 7, by the way).

So please expand the description of the process.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342515
Ok I don;t have the sources of this anymore :(  But what I did was I created a test OU, disabled inheritance, and created a new GPO that made admin template change towards the recovery keys and copied two vbs files to the users desktop and I believe it ran them.  I've attached reports off both of the GPO's I created for this.
Enable-BL.htm
Install-net4.5---WMF-4.htm
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342534
McKnife how was BT rolled out in your env?
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 40342565
We set the policy to require AD backup of keys before encryption (which in fact enforces automatic key backup) and set the GPO to allow additional startup keys, so tpm would not be necessary. Then we used a manage-bde.exe script inside our startup script that set a random password and created a .bek file (Bitlocker encryption key file) that we could save to a usb key (all users got such a usb key). We handed out the keys to users so they could start the computers on their own. Then, they were told to use another script (metro desktop link) that they should feed their domain password. The script would
A set this one the BL password
B setup autologon using the same password so we could have single sign on (even though it is faked).

Edit: ah, and we required 256-bit-AES using GPOs.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40342678
What do you do if a user loses their usb key?  They have to have the key plugged in at boot correct?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40342692
No, I forgot to mention, the script they initially used to set a password would destroy the usb protector, so they could no longer use it. We would not like to see the keys being left plugged in...
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40344201
Here's the two vb script files Ive got that are supposed to enable Bitlocker and TPM.
EnableBitLocker.vbs
enable-bitlocker-notebook.vbs
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40344260
If they are from MS, they should of course work... please let us know the complete output.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40345053
Tomorrow I might be able to give you a solution. We have just acquired a single laptop that needs BL with TPM.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40346163
Sweet! I look forward to it.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40346422
Funny... that TPM just didn't want to play with me, today. But that had nothing to do with scripting abilities or even scripting at all. Had to disable it altogether in order to use bitlocker. With TPM activated and prepared, I got "The system cannot find the file specified" - whatever file that should be.

So I am sorry, but I cannot try it today, maybe in a few weeks again. Would like to try it, but in virtual test environments, I can't, because those still cannot emulate a TPM chip.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40346747
The vm's I will use to test are on my desktop.. HP Z230 which has a TPM on-board.  Would you mind shooting me your scripts for comparison?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40346881
Like I said, VMs cannot use Tpm chips.
I have no scripts for tpm setups.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40363701
Hmm that's unfortunate.  I do not want to manage a barrage of usb keys.. nor smartcards.  I assumed TPM + PIN would be the easiest for the users to handle.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40363710
Yes it is.
So please look into either simple scripting (manage-bde.exe) or let that script you already have log its errors to a file so we can discuss them.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40372805
I'm posting here to keep my question active while I test a couple things out on this script.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40373025
McKnife.. What OS are your clients running? What functional level is your domain? And are you backing up Bitlocker info to DS?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40373061
OS: win8.1 pro
funct. level: 2008
Backup to AD: yes
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40415663
OK first off my apologies for letting this expire like it did.  Is my issue resolved?  No.. not even close.  But due to the extreme clean up efforts at EE I am forced to do something with this question.  I do not and have never agreed with how stringently Admins push for question closure... as if all posters here have nothing to do at work but sit here and closely monitor a question until it's completion.  Which in my experience can take weeks.

But whatever.. I chose to pay for this service including it's stupidly strict rules.  So I will close a question that HAS NOT been resolved because I lack the time to complete it and thus keep the illusion going that everything in EE is always answered correctly because there is no way to award Experts for helping other than saying they solved your problem.
0
 
LVL 14

Author Closing Comment

by:Ben Hart
ID: 40415668
My issue is not resolved, I am closing this question and giving points to McKnife because he was the only one who tried helping.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40415709
Hi Ben.

I fully agree on your comment/complaint. Only thing: there are many people that neglect to come back to their questions and that's why some urge to feedback/close is being used. Because for helpers it is extremely complicated to remember what that thread is about even after 1 week or so. Within a week, I participate in maybe 100 questions...
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 40415727
I've been in the same boat man.  It's just stupid that I have to choose a solution to a problem that at that time has no solution.  I know the benefits of the rules and the cons very well.. do I know an alternative?  Not really.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question