Solved

Looking for advice on Bitlocking mobile windows devices with Domain recovery agent.

Posted on 2014-09-24
22
148 Views
Last Modified: 2014-10-31
I have a 2008 functional level domain, we'd like to enable BitLocker on all Windows laptops backing up the passwords and recovery info to AD DS, and requiring TPM + PIN.  It'd be awesome if we could push this out via GPO as well.

I've done limited tests in with a few vm's and a couple physical laptops with little success.  Looking for any advice, tips/tricks, etc.

All laptop OS's are Win7 Enterprise, and all hardware has supporting TPM on-board.
0
Comment
Question by:Ben Hart
  • 12
  • 10
22 Comments
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi again.

It would be nice to see what you did and what didn't succeed.
The process is documented at Microsoft's Technet on various sites and I am pretty sure a TPM-based bitlocker "rollout" will run pretty well, though I never did one, I used it on win8.1 and not with TPM but with passwords (which is not possible on 7, by the way).

So please expand the description of the process.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
Ok I don;t have the sources of this anymore :(  But what I did was I created a test OU, disabled inheritance, and created a new GPO that made admin template change towards the recovery keys and copied two vbs files to the users desktop and I believe it ran them.  I've attached reports off both of the GPO's I created for this.
Enable-BL.htm
Install-net4.5---WMF-4.htm
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
McKnife how was BT rolled out in your env?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
Comment Utility
We set the policy to require AD backup of keys before encryption (which in fact enforces automatic key backup) and set the GPO to allow additional startup keys, so tpm would not be necessary. Then we used a manage-bde.exe script inside our startup script that set a random password and created a .bek file (Bitlocker encryption key file) that we could save to a usb key (all users got such a usb key). We handed out the keys to users so they could start the computers on their own. Then, they were told to use another script (metro desktop link) that they should feed their domain password. The script would
A set this one the BL password
B setup autologon using the same password so we could have single sign on (even though it is faked).

Edit: ah, and we required 256-bit-AES using GPOs.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
What do you do if a user loses their usb key?  They have to have the key plugged in at boot correct?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
No, I forgot to mention, the script they initially used to set a password would destroy the usb protector, so they could no longer use it. We would not like to see the keys being left plugged in...
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
Here's the two vb script files Ive got that are supposed to enable Bitlocker and TPM.
EnableBitLocker.vbs
enable-bitlocker-notebook.vbs
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
If they are from MS, they should of course work... please let us know the complete output.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Tomorrow I might be able to give you a solution. We have just acquired a single laptop that needs BL with TPM.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
Sweet! I look forward to it.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Funny... that TPM just didn't want to play with me, today. But that had nothing to do with scripting abilities or even scripting at all. Had to disable it altogether in order to use bitlocker. With TPM activated and prepared, I got "The system cannot find the file specified" - whatever file that should be.

So I am sorry, but I cannot try it today, maybe in a few weeks again. Would like to try it, but in virtual test environments, I can't, because those still cannot emulate a TPM chip.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
The vm's I will use to test are on my desktop.. HP Z230 which has a TPM on-board.  Would you mind shooting me your scripts for comparison?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Like I said, VMs cannot use Tpm chips.
I have no scripts for tpm setups.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
Hmm that's unfortunate.  I do not want to manage a barrage of usb keys.. nor smartcards.  I assumed TPM + PIN would be the easiest for the users to handle.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Yes it is.
So please look into either simple scripting (manage-bde.exe) or let that script you already have log its errors to a file so we can discuss them.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
I'm posting here to keep my question active while I test a couple things out on this script.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
McKnife.. What OS are your clients running? What functional level is your domain? And are you backing up Bitlocker info to DS?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
OS: win8.1 pro
funct. level: 2008
Backup to AD: yes
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
OK first off my apologies for letting this expire like it did.  Is my issue resolved?  No.. not even close.  But due to the extreme clean up efforts at EE I am forced to do something with this question.  I do not and have never agreed with how stringently Admins push for question closure... as if all posters here have nothing to do at work but sit here and closely monitor a question until it's completion.  Which in my experience can take weeks.

But whatever.. I chose to pay for this service including it's stupidly strict rules.  So I will close a question that HAS NOT been resolved because I lack the time to complete it and thus keep the illusion going that everything in EE is always answered correctly because there is no way to award Experts for helping other than saying they solved your problem.
0
 
LVL 14

Author Closing Comment

by:Ben Hart
Comment Utility
My issue is not resolved, I am closing this question and giving points to McKnife because he was the only one who tried helping.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi Ben.

I fully agree on your comment/complaint. Only thing: there are many people that neglect to come back to their questions and that's why some urge to feedback/close is being used. Because for helpers it is extremely complicated to remember what that thread is about even after 1 week or so. Within a week, I participate in maybe 100 questions...
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
I've been in the same boat man.  It's just stupid that I have to choose a solution to a problem that at that time has no solution.  I know the benefits of the rules and the cons very well.. do I know an alternative?  Not really.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now