SCCM Admins guide to preparing your environment for Bitlocker Drive Encryption – part 3

In part 1 and Part 2, I talked about the requirements for Bitlocker and walked you through how to extend your Active Directory Schema if you run Windows Server 2003 SP1/SP2 Windows Server 2003 R2 domain controllers. We then sat the permission so that a Windows 7 machine was able to write its own TPM owner password to Active Directory.

Today we are going to put the configuration made in part 1 and 2 to the test and enable bitlocker on a Windows 7 machine. Then we are going to install the Bitlocker Recovery Password Viewer for Active Directory tool and use that for finding the password for the machine. We are going to conclude this series by finding the hash of the TPM Owner password which is also stored in Active Directory, if you followed the steps in part 2 of this guide, and use that for the chnaging the actual TPM Owner Password.

But before we start let’s quickly run through what could trigger a Bitlocker recovery:

• An attacker has modified your computer. This is applicable for a computer with a TPM because the TPM checks the integrity of boot components during startup.
• Moving the BitLocker-protected drive into a new computer.
• Upgrading to a new motherboard with a new TPM.
• Turning off, disabling, or clearing the TPM.
• Upgrading critical early boot components that cause the TPM to fail validation.
• Forgetting the PIN when PIN authentication is enabled.
• Losing the pluggable USB flash drive that contains the startup key, when startup key authentication is enabled.

BitLocker Recovery Password Viewer for Active Directory

The BitLocker Recovery Password Viewer helps to locate BitLocker Drive Encryption recovery passwords for computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008 in Active Directory Domain Services (AD DS). This tool is now part of Remote Server Administration Tools (RSAT) for Windows 7.

If you are running any of the following Operating Sytems: Windows Server 2008, Windows Vista Enterprise, Windows Vista Enterprise 64-bit edition, Windows Vista Service Pack 1, Windows Vista Ultimate, Windows Vista Ultimate 64-bit edition, you will need to download the BitLocker Recovery Password Viewer from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=2786fde9-5986-4ed6-8fe4-f88e2492a5bd&displaylang=en

This tool lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers snap-in. Using this tool, you can examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest.

Important

Before this tool will work within a domain, a member of the Enterprise Admins group must install and register the BdeAducExt.dll in AD DS. Server Manager in Server 2008 R2 attempts to do this registration automatically when the tool is first installed, but if it is being installed under an account that does not have permission to register .dlls with AD DS an error is presented at the end of the feature installation advising the user to have the enterprise admin run regsvr32.exe BdeAducExt.dll. If the installation is done using RSAT instead of Server Manager and the tool hasn’t previously been registered in AD DS a member of the Enterprise Admins group is required to run regsvr32.exe BdeAducExt.dll to register the DLL before the tool can be used as RSAT does not automatically register the DLL.

You must be a domain admin or have been delegated the required permissions in order to view the Bitlocker Recovery password and the TPM Owner password hash in Active Directory.

Enabling the Bitlocker Recovery Password Viewer in Windows Server 2008 R2

1. Open Start, All Programs, Administrative Tools, and Server Manager

 

2. Select the Features node and click Add Features

 

3. On the Select Features page, scroll down to the Remote Server Administration Tools node and expand it. Then expand Feature Administration Tools and Bitlocker Drive Encryption Administration Tools. Then select Bitlocker Recovery Password Viewer and click Next

 

4. On the Confirm Installation Selections page, click Install

 

5. On the Installation Results page, click Close and then close Server Manager

 

Enabling the Bitlocker Recovery Password Viewer in Windows 7

 

1. Click Start and type programs and, then press ENTER

 

2. In the Uninstall or change a window window, click on Turn Windows features on or off

 

3. On the Turn Windows features on or off page, expand Remote Server Administration Tools and Feature Administration Tools. Select Bitlocker Password Recovery Viewer (1).

4. If you have already enabled AD DS Snap-ins and Command-line Tools, now click OK. Otherwise expand Role Administration Tools, AD DS and AD LDS Tools, AD DS Tools and then select AD DS Snap-ins and Command-line Tools. Then click OK.

 

Manually enabling Bitlocker on a Windows 7 machine

 

1. Click Start and type cmd. In the Start menu window right-click cmd and select Run as administrator

 

2. In the command-line box, type manage-bde –on C: –rp. Note that the recovery password is shown in the screen shot below. This password will be backed up to Active Directory as well.

 

3. You will get a notification that tells you that encryption will begin after you restart your computer. The reason for the restart is that the machine will test if it is able to read the Bitlocker Startup key from the TPM.

 

4. Restart your computer and logon again. The initial Bitlocker encryption will begin and could take hours depending on the size of your partition and the speed of your hardware. As a rule of thumb it will take approx 2 minuttes pr. GB. So a 50 GB partition will take around two hours to encrypt.

 

5. When the encryption is completed you will get a message stating just that.

 

6. Check the encryption status of your “newly” Bitlocker encypted partition by typing: manage-bde –status. The screen shot below shows that Volume C: is Fully Encrypted

 

Finding the Bitlocker Recovery Password in Active Directory

 

When you start the computer to the BitLocker Recovery screen, Windows 7 gives you a drive label and a password ID (as shown below highlighted with colours). You can use this information together with the BitLocker Recovery Password Viewer tool to locate the matching BitLocker recovery password that is stored in AD DS.

Finding the Bitlocker Recovery Password in Active Directory can be done in two ways. You can go directly to the OU where the machine account is located or you can search for the Bitlocker Recovery Password.

Method 1: Directly from the machine account

1. On a computer where Active Directory Users and Computers and the Bitlocker Recovery Password Viewer snap-ins are installed, click on Start, Administrative Tools, Active Directory Users and Computers (ADUC).

 

2. In the Active Directory Users and Computers snap-in, expand the OU where the computer, that you want to recover the Bitlocker Pasword for, is located. Right-click the machine account and select Properties. In the Properties windows, click on the Bitlocker Recovery tab.

3. The 48-digit Bitlocker Recovery Password (1) is now shown under Details. If you look further down under Details you will see the Password ID (2). You should verify that the Password ID matches the one shown on the BitLocker Recovery screen when you boot your machine.

Method 2: Search for the Bitlocker Recovery Password in Active Directory using the Password ID:

1. On a computer where Active Directory Users and Computers and the Bitlocker Recovery Password Viewer snap-ins are installed, click on Start, Administrative Tools, Active Directory Users and Computers (ADUC).

 

2. In the Active Directory Users and Computers snap-in, right-click Domain-Name, i.e petfood.local and select Find Bitlocker Recovery Password

 

3. In the Find Bitlocker Recovery Password windows, type the first 8 characters of the Password ID, i.e 5D0C7667, shown on the BitLocker Recovery screen when you boot your machine and then click Search

 

4. The 48-digit Bitlocker Recovery Password is now shown under Details. If you look further down under Details you will see the Password ID. You should verify that the Password ID matches the one shown on the BitLocker Recovery screen when you boot your machine.

 

 

Using the Bitlocker Recovery Password

 

1. On the BitLocker Recovery screen, type in the 48-character recovery key using the function keys. When you type the last digit, and provided that you type the correct key, the computer will automatically contniue the boot sequence and boot into the Windows 7 operating system.

Note: The F1 through F10 keys are universally mapped scancodes available in the pre-operating-system environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-operating system environment on all keyboards.

 

How to recover the TPM Owner password (hash)

 

In part 1 of this series I briefly mentioned that Configuration Manager 2007 and MDT 2010 create a random TPM Owner password as part of enabling bitlocker. By design, a hash of the TPM Owner password is saved in Active Directory and not the actual TPM Owner password itself.

I would strongly recommend that you backup your TPM Owner password even though it is not required. Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

If you need to make changes using the tpm snap-in, you must enter the TPM Owner password. If you do not know the password your only other option is to clear the TPM and you would “lose” all configuration data in the TPM.

1. On a computer where Active Directory Users and Computers snap-in is installed, click on Start, Administrative Tools, Active Directory Users and Computers (ADUC).

2. In the top menu of the Active Directory Users and Computers snap-in, click View and then click on Advanced Features in the drop-down menu

 

3. In the ADUC snap-in, click the OU where the machine you wish to recover the TPM Owner password for, is located.

4. Right-click the machine you wish to recover the TPM Owner password for, and select Properties

 

5. In the ComputerName Properties window i.e WIN7BT, click on the Attribute Editor tab

 

6. Still in the ComputerName Properties window i.e WIN7BT, on the Attribute Editor tab, scroll down and find the msTPM-OwnerInformation attribute

 

7. Open Notepad and copy/paste the following code:

<?xml version="1.0" encoding="UTF-8"?>

<ownerAuth></ownerAuth>

 

8. Minimize Notepad and maximize ADUC

9. Back in the ComputerName Properties window i.e WIN7BT, on the Attribute Editor tab with the msTPM-OwnerInformation attribute selected, click Edit

 

10. In the String Attribute Editor window, right- the highlighted data and select Copy

Note: The data in the Value field is the hash of the TPM Owner password

 

11. Maximize Notepad and paste the hash of the TPM Owner password in between the two <ownerAuth></ownerAuth>

 

12. Still in Notepad, click on File and select Save As

13. In the Save As dialog box, select All Files as the Save as type

14. In the File name field, type a name for the file i.e win7bt.tpm and remember to use the .tpm extension and then click Save

15. Copy the Name.tpm file to the computer where you want to change the TPM Owner password and you do not know the old one.

 

Using the TPM Owner password hash file on a Windows 7 machine

 

The following must be carried out on a Windows 7 machine where you want to change the TPM Owner password but does not know the old one.

1. Click Start and type tpm.msc. In the Start menu window right-click tpm and select Run as administrator

 

2. In the Trusted Platform Module snap-in, select Change Owner Password under Actions

 

3. On the Change TPM owner password page, select I have the owner password file

 

4. On the Select file with the TPM owner password page, click browse

 

5. Browse for the Name.tpm file you created in notepad and click Open

 

6. Back on the Select file with the TPM owner password page, ensure that Name.tpm file is listed and click Create New Password

 

7. On the Create the TPM owner password page, select Manually create the password

Note: normally you would select the Automatically create the password (recommended) option and ensure that the hash of the TPM owner password is backed up to Active Directory.

 

8. On the Create the TPM owner password page, enter your new TPM Owner password two times and click on Change Password

Note: It you haven´t enabled backup of your TPM Owner password to Active Directory, you must save/print the password in case you need it later on

 

9. On the Password change completed page, click Close

 

10. To verify that the new TPM Owner password has been backed up successfully in Active Directory, use the Attribute Editor in ADUC as shown earlier under the How to recover the TPM Owner password (hash) section.

If you compare the new TPM Owner hash with the old one, you can see that it has changed, because the Group Policy settings we configured earlier require backup of the TPM Owner password.

That´s it – you should now have a good starting point for implementing Bitlocker in your environment. But remember to test, test and test before you implement it in production.