Implementieren von BitLocker auf der Domäne verbundene Windows 10-Clients

Scenario

Sie haben einen domänenverbundenen Windows 10-Client-Computer. Es ist geplant die Vorteile von BitLocker zu nutzen, um den Inhalt von Datenträgern auf dem lokalen Computer zu schützen.

HINWEIS

Aufgeführte Anleitung ist eine Leitfaden für Labor Umgebungen - Englische sprache!

Lab setup

Geschätzte Zeit: 45 Minuten

The lab consists of the following computers:

  • LON-DC1 – a Windows Server 2016 domain controller in the adatum.com single-domain forest. You will use it to host a Certification Authority.
  • LON-CL1 – a Windows 10 Pro or Enterprise version 1709 (or newer) domain member computer with Remote Server Administration Tools for Windows 10. LON-CL1 should have two extra volumes (not mounted, with 1 GB of disk space each).

All computers have Windows PowerShell Remoting enabled

Note: In order to take full advantage of BitLocker, your computers must have a Trusted Platform Module (TPM) 1.2 or later as well as Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. It is, however, possible to encrypt both the operating system and data volumes on Windows 10 computers with BitLocker without TPM support. When BitLocker encryption is enabled on the operating system volume of computers without TPM 1.2 or newer, in order to successfully restart such systems or resume them from hibernation, you have to either insert a USB device containing the BitLocker startup key or, starting with Windows 8, specify the volume specific password from the console. In either case, however, the startup process does not assure integrity of operating system startup components and does not offer multi-factor authentication (which would be otherwise delivered by TPM). Considering that the lab environment does not include TPM support and does not provide direct console access, we will focus on the BitLocker features applicable to Windows 10 non-operating system volumes in an Active Directory domain environment.

Note: Remote Server Administration Tools for Windows 10 include BitLocker-related management utilities, including the following:

  • BitLocker Recovery Password Viewer – this is an extension to Active Directory Users and Computers MMC snap-in, which allows you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS).
  • BitLocker Drive Encryption Tools – this is a collection of BitLocker-specific command-line tools, including manage-bde and repair-bde, as well as the BitLocker cmdlets for Windows PowerShell.

Exercise 1: Encrypt non-operating system volumes by using BitLocker

In this exercise, you will encrypt two non-operating system volumes by using BitLocker. The main tasks for this exercise are as follows:

  1. Encrypt non-operating system volumes by using BitLocker with the Password protector.
  2. Encrypt non-operating system volumes by using BitLocker with the AD Account or Group protector.
  3. Remove a BitLocker protector.
  4. Remove BitLocker encryption

Task 1: Encrypt non-operating system volumes by using BitLocker with the Password protector.

  1. Sign to the LON-CL1 Windows 10 lab virtual machine with the following credentials:
  • Username: ADATUM\Administrator
  • Password: Pa55w.rd
  1. While signed in to LON-CL1 as ADATUM\Administrator, from the Administrator: Windows PowerShell ISE console pane, run the following:
$securePassword = ConvertTo-SecureString 'Pa55w.rd123' –AsPlainText -Force
Enable-BitLocker –MountPoint 'G:' –PasswordProtector –Password $securePassword –UsedSpaceOnly

Note: The use of the –UsedSpaceOnly parameter is required for thin-provisioned volumes, like the ones set up on the lab VM. In addition, this causes the encryption to complete much faster on volumes with small amount of used disk space. However, you should avoid using this parameter on volumes that contain deleted files, which recovery via disk recovery tools you want to prevent.

  1. To confirm that the volume is fully encrypted, from the Administrator: Windows PowerShell ISE console pane, run the following:
Get-BitLockerVolume –MountPoint 'G:'
  1. Verify that the VolumeStatus column displays FullyEncrypted.
  2. Open File Explorer, click This PC and note that the Disk1 (G:) icon includes an open pad lock.
  3. Switch to the Administrator: Windows PowerShell ISE console pane and run the following:
$disk = Get-Disk | Where-Object {$_.Number -eq 2}
$disk | Set-Disk -IsOffline $true
  1. This will take offline the Disk1 hosting the G: drive. Now, bring it back online by running the following:
$disk | Set-Disk -IsOffline $false
  1. Switch to the File Explorer and note that the G: drive icon included a locked pad lock.

Note: This is expected, since G: drive is encrypted with BitLocker, so if you bring it online, you need to unlock it by providing the protector key.

  1. To unlock the G: drive, from the Administrator: Windows PowerShell ISE console pane, run the following:
Unlock-BitLocker -MountPoint 'G:' -Password $securePassword
  1. Switch to the File Explorer window and verify that you can access G: drive.

Task 2: Encrypt the volume G: by using BitLocker with AD Account or Group Protector.

  1. From the Administrator: Windows PowerShell ISE console pane, run the following:
Enable-BitLocker –MountPoint 'G:' –AdAccountOrGroupProtector –AdAccountOrGroup 'ADATUM\Domain Admins'

Note: This adds another protector to the existing BitLocker encrypted volume. As the result, you can unlock it by using either the password or by simply ensuring that you are signed in with the account that is a member of the Active Directory domain group you specified. You can also associate the protector directly with an individual Active Directory domain user account, rather than an Active Directory domain group.

  1. Note that the KeyProtector column in the output of the Enable-BitLocker command includes now two protectors.
  2. Now, take the Disk1 hosting the G: drive offline again, by running the following from the Administrator: Windows PowerShell ISE console pane:
$disk | Set-Disk -IsOffline $true
  1. Next, bring it back online by running the following:
$disk | Set-Disk -IsOffline $false

Note: Note that, this time, the volume becomes automatically unlocked, since you are signed in with the ADATUM\Administrator account, which is a member of ADATUM\Domain Admins, specified when assigning the AD Account or Group protector. This is expected, since G: drive is encrypted with BitLocker, so if you bring it online, you need to unlock it by providing the protector key.

Task 3: Remove a BitLocker Protector.

  1. From the Administrator: Windows PowerShell ISE console pane, run the following:
(Get-BitLockerVolume –MountPoint 'G:').KeyProtector

Note: This displays the current protectors assigned to the G: volume.

  1. To remove the Password protector, while leaving the volume encrypted and the AD Account or Group protector in place, run the following from the Administrator: Windows PowerShell ISE console pane:
$passwordProtector = (Get-BitLockerVolume –MountPoint 'G:').KeyProtector | Where-Object {$_.KeyProtectortype –eq 'Password'}
Remove-BitLockerKeyProtector –MountPoint 'G:' –KeyProtectorId $passwordProtector.KeyProtectorId

Note: Note that, in the output of the Remove-BitLockerKeyProtector cmdlet, the VolumeStatus column displays FullyEncrypted and the KeyProtector column displays {AdAccountOrGroup}. AD Account or Group protector must be used in combination with another protector (such as TPM, PIN, or recovery key) when applied to the operating system drives. However, as you can see, you can use it as a sole protector for data volumes. This capability facilitates scenarios in which you want to use BitLocker to encrypt cluster volumes on Windows Server Failover Clusters. In such cases, you would assign the AD Account or Group protector to the Cluster Name Object (CNO) account.

  1. Now, take the Disk1 hosting the G: drive offline again, by running the following from the Administrator: Windows PowerShell ISE console pane:
$disk | Set-Disk -IsOffline $true
  1. Next, bring it back online by running the following:
$disk | Set-Disk -IsOffline $false
  1. Note that, this time as well, the volume becomes automatically unlocked, since you are still relying on the AD Account or Group protector.

Task 4: Remove BitLocker encryption.

  1. From the Administrator: Windows PowerShell ISE console pane, run the following:
Disable-BitLocker –MountPoint 'G:'

Note: This will display the current BitLocker status of the G: volume, which should be initially DecryptionInProgress

  1. To confirm that the volume is fully decrypted, from the Administrator: Windows PowerShell ISE console pane, run the following:
Get-BitLockerVolume –MountPoint 'G:'

Result: After completing this exercise, you will have encrypted a data volume by using BitLocker with the Password and AD Account or Group protection, removed the Password protector, and removed BitLocker encryption from the data volume.

Exercise 2: Recovering access to BitLocker-encrypted volumes

In this exercise, you will explore different options for recovering access to BitLocker encrypted volumes The main tasks for this exercise are as follows:

  1. Encrypt a BitLocker volume with the Password protector and a recovery key.
  2. Recover access to a BitLocker-encrypted volume by using its recovery key.
  3. Enable storing BitLocker recovery information in Active Directory.
  4. Generate a BitLocker recovery password, store it in Active Directory, and use it to access encrypted volume.

Task 1: Encrypt a BitLocker volume with the Password protector and with a recovery key

  1. On LON-CL1, from the Administrator: Windows PowerShell ISE script pane, run the following (F:\Labfiles\Scripts\Lab2Ex2Task1-01.ps1):
$securePassword = ConvertTo-SecureString 'Pa55w.rd123' –AsPlainText -Force
Enable-BitLocker –MountPoint 'H:' –PasswordProtector `
 			–Password $securePassword –UsedSpaceOnly
Enable-BitLocker –MountPoint 'H:' –RecoveryKeyPath 'C:\Recovery\' `
 			-RecoveryKeyProtector

Note: This encrypts the volume H: with the Password protector and, in addition, creates a recovery key and stores it in the C:\Recovery hidden folder

  1. To confirm that the volume is fully encrypted, from the Administrator: Windows PowerShell ISE console pane, run the following:
Get-BitLockerVolume –MountPoint 'H:'
  1. Note that the KeyProtector column displays Password, ExternalKey.
  2. To confirm that the recovery key actually exists, from the Administrator: Windows PowerShell ISE console pane, run the following:
Get-ChildItem –Path 'C:\Recovery' –Recurse –File -Force

Note: This will list the .BEK file in the C:\Recovery folder.

Task 2: Recover access to a BitLocker-encrypted volume by using its recovery key.

  1. From the Administrator: Windows PowerShell ISE console pane, run the following:
$disk = (Get-Disk | Where-Object {$_.Number -eq 3})
$disk | Set-Disk -IsOffline $true
  1. This will take offline in the Disk2 hosting the H: drive. Now, bring it back online by running the following:
$disk | Set-Disk -IsOffline $false
  1. This will mount the H: drive but leave it locked.

Note: This is expected, since H: drive is encrypted with BitLocker, so if you bring it online, you need to unlock it by providing either the protector key or the recovery key.

  1. From the Administrator: Windows PowerShell ISE console pane, run the following:
$externalKey = (Get-ChildItem –Path 'C:\\Recovery' –Recurse –File –Force)[0]
  1. From the Administrator: Windows PowerShell ISE console pane, run the following:
Unlock-BitLocker -MountPoint 'H:' –RecoveryKeyPath "$($externalKey.DirectoryName)\$($externalKey.Name)"

Note: This will unlock the volume H: by using the recovery key, rather than the password. This provides an alternative way to unlock an encrypted volume, in case you forget the password. Obviously you should protect access to the .BEK file just as you would want to make sure that your password is known only to those who are authorized to unlock the volume.

Task 3: Enable storing BitLocker recovery information in Active Directory.

  1. On LON-CL1, start Group Policy Management.
  2. In the Group Policy Management console, create a new GPO with the following settings:
  • Name: BitLocker Policy
  • Linked to: Adatum.com
  • Applied to: Authenticated Users
  1. Open the BitLocker Policy GPO in Group Policy Management Editor and navigate to Computer Configuration->Policies->Administrative Templates->Windows Components->BitLocker Drive Encryption.
  2. Configure the Store BitLocker recovery information in Active Directory Domain Services setting by enabling Store BitLocker recovery information in Active Directory Domain Services option.

Note: With the default settings, BitLocker backup to AD DS is required and it includes Recovery password and key packages.

  1. In Group Policy Management Editor, navigate to Computer Configuration->Policies->Administrative Templates->Windows Components->BitLocker Drive Encryption->Fixed Data Drives.
  2. Configure the Choose how BitLocker-protected fixed drives can be recovered setting by assigning the default value to the Choose how BitLocker-protected fixed drives can be recovered option.

Note: With the default settings, BitLocker recovery information to AD DS includes recovery passwords and key packages.

  1. From the Administrator: Windows PowerShell ISE console pane, apply the Group Policy update to LON-CL1 and LON-DC1

Task 4: Generate a BitLocker recovery password, store it in Active Directory, and use it to access encrypted volume.

  1. While logged on to LON-CL1 as ADATUM\Administrator, from the Administrator: Windows PowerShell ISE console pane run the following:
Get-BitLockerVolume –MountPoint 'H:' | Enable-BitLocker -RecoveryPasswordProtector

Note: This will display the output listing the 48-character recovery password. Typically, you would copy this password to a file and store it in a secure location. You can still do this, but, in this task, you will leverage the functionality you configured in the previous task, which stores this password in Active Directory.

  1. From the Administrator: Windows PowerShell ISE script pane, run the following (F:\Labfiles\Scripts\Lab2Ex2Task4-01.ps1):
$recoveryPasswordProtector = (Get-BitLockerVolume –MountPoint 'H:').KeyProtector | Where-Object {$_.KeyProtectorType –eq 'RecoveryPassword'}
Backup-BitLockerKeyProtector –MountPoint 'H:' –KeyProtectorId $recoveryPasswordProtector.KeyProtectorId

Note: This step is necessary since we enabled BitLocker prior to enabling BitLocker-specific Group Policy settings in task 3 of this exercise. Once these settings are in place, the recovery information is being automatically backed up to Active Directory when you enable BitLocker encryption on domain member computers.

  1. Take offline the Disk2 hosting the H: drive by running the following from the Administrator: Windows PowerShell ISE console pane:
$disk | Set-Disk -IsOffline $true
  1. Now, bring it back online by running the following from the Administrator: Windows PowerShell ISE console pane:
$disk | Set-Disk -IsOffline $false
  1. This will mount drive H: but leave it locked.

Note: This is expected, since H: drive is encrypted with BitLocker, so if you bring it online, you need to unlock it by providing either the password protector or the recovery password.

  1. On LON-CL1, start Active Directory Users and Computers.
  2. In the Active Directory Users and Computers console, navigate to the LON-CL1 computer object and examine its BitLocker Recovery properties.
  3. Copy the BitLocker Recovery Password from the LON-CL1 properties window in Active Directory Users and Computers.
  4. From the Administrator: Windows PowerShell ISE console pane, run the following (where xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx represents the recovery password you copied from Active Directory):

Note: Remove any extraneous spaces and line breaks from the recovery password you copied from the LON-CL1 properties window in Active Directory Users and Computers. The recovery passwords should consist of eight groups of six digits each, separated by dashes, with no spaces

Unlock-BitLocker –MountPoint 'H:' –RecoveryPassword 'xxxxx-xxxxx-xxxxx-xxxxx- xxxxx-xxxxx-xxxxx-xxxxx'
  1. Use File Explorer to verify that the H: drive has been unlocked.

Note: You unlocked the volume H: by using the recovery password, rather than the password. This provides an alternative way to unlock an encrypted volume, in case you forget the password. The recovery password is protected by AD permissions. By default, only members of the Domain Admins group have permissions to read the recovery information (although it is possible to delegate this access).

Result: After completing this exercise, you have generated a recovery key for a BitLocker-encrypted volume with the Password protector, recovered access to the volume by using its recovery key, enabled storing BitLocker recovery information in Active Directory, and used a recovery password stored in Active Directory to provide access to an encrypted volume.

Help-Desk
Tickets