Introduction
Welcome to this in-depth guide on BitLocker and how to configure it to save recovery keys to Active Directory. In a corporate environment, managing encryption keys for numerous computers can be daunting, especially when you have a hundred thousand systems to secure. This tutorial will walk you through two scenarios: configuring BitLocker on computers already joined to a domain and ensuring that recovery keys are consistently saved in Active Directory across your network.
Understanding BitLocker
BitLocker is a built-in encryption tool in Windows that helps protect data by providing encryption for entire volumes. This ensures that even if a computer is lost or stolen, the data remains secure. When utilizing BitLocker in a corporate environment, organizations must ensure that they recover keys are managed effectively to allow access when necessary.
Two Scenarios with BitLocker
In this section, we will explore two distinct scenarios for configuring BitLocker:
- Configuring BitLocker on already secured devices
- Setting up BitLocker on new devices automatically saving recovery keys
Scenario 1: Existing BitLocker Configuration
In this scenario, you might have several Windows 10 computers where BitLocker has already been configured. However, their recovery keys are not saved in Active Directory, posing a risk if a recovery is needed. To address this, follow these steps:
Step 1: Server Preparation
- Open Server Manager.
- Navigate to Add Role and Features.
- Install the BitLocker Drive Encryption feature on your domain controller to ensure it can save and manage BitLocker keys.
Step 2: Configure Group Policy
- Open Group Policy Management and create a new Group Policy Object (GPO) linked to your domain.
- Right-click your GPO and select Edit.
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption.
- Enable Configure BitLocker backup to Active Directory Domain Services and select the options to save both recovery passwords and key packages.
- Click Apply and OK.
Scenario 2: BitLocker Setup on New Devices
For new devices that join the domain, recovery keys can be saved seamlessly with the right configurations.
Step 3: Establishing GPO for New Devices
- Create further GPOs to specify that any new configuration of BitLocker must save recovery keys to Active Directory.
- Make sure the new computers have the gpupdate /force command run to apply the new policies.
Step 4: Script Automation
To automatically save recovery keys from already configured BitLocker devices:
- Create a PowerShell script that can run on startup to extract the recovery key from the configured devices and store it in Active Directory.
- Implement this script into a GPO startup script, ensuring it runs when a computer starts up.
Step-by-Step Instructions for Implementation
Here’s a condensed version of the step-by-step actions to take:
- Install BitLocker Drive Encryption on your Domain Controller.
- Configure Group Policy Objects (GPO) to:
- Save recovery keys to Active Directory
- Allow script execution policies.
- Ensure backup scripts are applied properly:
- PowerShell script execution
- Logon scripts with a delay to accommodate users.
- Utilize Active Directory to manage recovery information effectively.
Testing and Verification
Once all configurations and policies are correctly set:
- Perform a gpupdate on the client machines.
- Restart the computers and verify that BitLocker is enabled and the recovery keys appear in Active Directory for devices correctly configured with the new policy.
Conclusion
In conclusion, configuring BitLocker to save recovery keys in Active Directory is a vital process for maintaining data security in an enterprise environment. Proper implementation ensures that in the event of a lost password or a locked-out machine, recovery is straightforward and effective. By following these outlined steps, your organization can maintain stringent security protocols while minimizing data loss risks.
If you found this guide helpful, please like, comment, and consider subscribing to my channel. Additionally, if you have any questions regarding BitLocker or need further assistance, feel free to reach out by email. Thank you for watching, and see you in the next video!
hi welcome to my YouTube channel in this video I'll be showing you some cool things about bit Locker so we have two
scenario a situation whereby for example you've already configured bit log BitLocker on a computer before you
decided to actually configure a system whereby BitLocker will be stored in Active Directory so right now how do you
allow about hundred thousand computers to be able to set their password to Active Directory if this computer has
already been joined to the domain before you configure the local recovery Keys in Active Directory so let's see I
have two situations here the first one is already configured BitLocker on this Windows 10 computer so right now this
the key of this BitLocker is not saved in Active Directory suddenly I have a computer which is of course the
computers also joined to the domain controller but I have not configured BitLocker on this computer so the only
process of configuring BitLocker on this computer the key will be automatically saved to the domain controller so this
is the key of this bit look I saved it manually on a network share so well you do this at all if you work in a small
environment but if you work in a very large environment think or in a enterprise environment it is advisable
to always save your key to Active Directory so let's see first of all to me I have liked to workstation iceboxes
on 1 & 2 so if I go to my first workstation I double click on it you can see I have a tab here called bit Locker
BitLocker recovery in this tab of the property or in this properties of Windows 10 so what you need to do first
of all you to go to your server manager and you need to add a future let me just share the future you need to add so you
need to add this feature called BitLocker Drive Encryption which of course after installing this
Batak BitLocker Drive Encryption this will allow you to configure BitLocker on your domain controller
Encryption to be able to see have an extra tab in Active Directory Active Directory let me just show you here this
so you also need to install the bit Locker viewer which of course and I'm doing this version of this BitLocker
Network and unlock it well it's also installed the bit Locker viewer so let me click cancel so I'm fastener is this
so what I need to do now right now is I wanted to create a group policy because it's with the group policy we have to
configure to make sure that our password recovery password recovery key is being saved to Active Directory so if I go to
have created two policies which of course is linked to this organization you need which are called computers so
the first policy is gonna save bit lucky to Active Directory automatically dies if you want to configure the wall
station and the second one is going to save BitLocker key for computers which or which are already joined with other
be designed to the domain before you configure this policy so let me just right click on this group policy I
created click Edit and here on a computer configuration you have to go to policies in policies go to
administrative templates in administrative templates go to windows components on our windows components you
have the bit Locker drive encryption so the first thing you need to configure configure here is stop bit Locker
covering formation in Active Directory domain service click on it here we just need to click enabled and you see says
require BitLocker backup to Active Directory and domain service and here it says select BitLocker a confirmation to
store then I choose the recovery which password and key packages you can as well choose only for the
recovery password only before these test environments I'm gonna choose both of the key but it
could be password on the key packages so I just need to click apply and ok and also I also need to configure these
trends so configure drive encryption method and cipher strange so let me just configure that because I want it to be
very very strong so I'm just gonna leave it at the default but you have other options to slightly turn off three to
five bits and 56 bits but I'm gonna select the one run to the eight bit which is not the default for the
operating system and also for the fist data drives and removable data before this test environment we are going to
just do this for the operating system so click apply and then click OK so right now I'm going to go to the
operating system itself because here you have three options for fist data drives operating system drives and removable
removable data drives so I'm going to choose the operating system drives so here we have the option to actually say
choose how BitLocker Patel operating system drives can be recovered so how do you want to recover the operating system
drive so let me just double click on this and choose enable and here I will just check this make sure that this is
checked allow data recovery agents then Allah 58t district of a password so you have the option to require for a disease
or password or do not allow so I'm gonna allow and also for the recovery key I'm gonna choose Suvorov to say speeds some
gurus make sure that this is also check say BitLocker recovery information to active domain services for 2016 drives
and here we said you can as well check the - not enabled with LA County recovery information is stored to Active
Directory from very sustain so what happen is this if you check this the BitLocker will not be enabled for that
operating system only if the key the information is correct information has been stored to Active Directory so click
apply and click OK so after completing the configuration in group policy so we doesn't too close the
group policy management editor so let's go to the computer way we need to configure bit Locker so mind you I'm
going to configure BitLocker on this computer which it has not be configured before and on the second on my first
computer here BitLocker has been configured so we need to create a new group policy which we allow the password
which we already saved to our shared drive to be saved to active territory so let me go to my second computer and try
to configure group and BitLocker on this computer so but before you do that you make sure you need to do gpupdate
let me just go to the command prompt and do GP updates first because if not the policy we just implemented will not take
effect on this computer or you can as well restart the computer for the policy to take effect so the computer policy of
the Dead has completed successfully and also the users policy has completed successfully so I'm going to close this
policy to allow this the recovery key to be saved in Active Directory now I will not have the option to click Next I will
either have to save save to a file search or USB flash drive or print the recovery key so what you need to do you
don't need to do any of this three option just click Next and I encrypt use this place only of course of more faster
system so let me just try to fasten every tumor that my Saxena will come back again when my system has been
restarted so after restarting my computer then I'll not change I will need to enter my BitLocker password
okay now my computer be restarted so let me log on to this computer and show you what happens okay let me go to my add
active directory and see if this the correct password has been saved to a directory so first of all let's just do
some refresh and go to computers for the second computer good here we go as you can see the password of BitLocker has
been automatically saved to this computer so let's go to a second computer see it's trying to sleep trying
to log on so as you can see BitLocker has been enabled and configured on this computer so if I go back to my domain
controller here we can see we have the password ID and the recovery password so if someone tried to log onto this
computer with the wrong password for so many times and password gets locked because of the BitLocker or something
happen and you need the recovery arm to record up back the computer to be able to log on so the person needs to provide
tried all the last digit of last first four digits or eight digit of his ID we can as well might last or maybe the last
digit of his ideal class will match it to this password and provide a password to the user so that is it but for the
second option so right now how do we make sure that this passed the recovery password we saved to the network share
is been automatically saved to Active Directory so we have two option I'm script here which I'm gonna show you
let me just try to open notepad so I have a script which I found I tried it I describe myself so I find it on the
Internet does a script let me just try and copy the script from somewhere and let me see if I can paste it so I just
copy this script to not pan so you can see so what can do we had the option I tried to actually run this script in
PowerShell as an administrator so by running the script in partial what will happen is this the the password or the
recovery key of BitLocker will be automatically saved to active active directory but this is not what we want
to do because by going if you have like 1000 computers you work in an enterprise environment that you have like 1000
computers so we're going to each computer and trying to copy the script manually would be a very very easy task
for you so we can decide to configure a second group policy which will actually automatically when the user try to start
up this computer the script will be enforced on that computer but automatically writing the recovery key
to active directory so as you can see here we still don't have the recovery password on the for this Windows 10
computer so what we need to do is let me just go back again to active my group policy right mint so click edit so what
we need to do here is let's go to policies on a computer configuration policies and here go to windows settings
and go to start script and shutdown so we need I try to start and during this touch up so we need a
script to be Italian Faust so what we need to do is here impartial we need to go to here you have the
script so how the PowerShell script just click show files so when you click show files so here we're going to actually
computer so just copy it to this look at location so I'm gonna copy the script to this location and then we can go for
that from there so I just copy the file to this location and what you need to do is just click on the file click right
click the file and click properties here on our security make sure you add the domain computers and make sure that it
do make computers had a read and execute assess which is of course to be allowed on this script so just click OK and here
we need to click cancel and then we have to go and add the file click browse click select select the right write file
and click open click OK and click apply and click OK so what we need to do next is to make sure
that when you just try to log on on to the integer computer there should be a delay when this group is being deployed
because if you allow the script to be deployed immediately it's possible that some users I'm used like a wireless
device or somebody else who's used laptop and when they log on to the computer and probably a lot of had not
connected to the wireless network or to the network so we crash actually try to delay the script for being and forced
into this computer for like 2 or 3 minutes so what we need to do is to go to under your policies go
to administrative templates here on our system then we have to look for group policy so let me just search for group
policy here in group policy so we actually need to search for configure logon script delay let me just look for
configure logon script delay see let me just try to Johnny yes ok click enabled and just put like two two minutes
make sure because you know partial script when they are being deployed on a computer it's actually deployed on the
user's profile so mostly if you work in an enterprise environment another users profile partial script is not allowed to
be configured so what we need to do we need to change actually a policy that we allowed this script to be enforced on
the computer so first of all we also need to go to under your computer configuration then go to your
administrative templates then now we have to go to Windows components and look for Windows PowerShell here we have
the windows powershell so what we are going to actually look for is to turn on script execution so we'll go to the
tunnel script at the Kishin so you enable this policy and here you select the allow local script and remote
signing script so well by doing this the policy will be able to apply it on other users profile because we touch you
so right now so we need to come to the group policy management editor so we go to the workstation which I which we is
going to get as policy so we actually need to make sure that we also go to the command prompt and tap GP updates force
so the policies been updated so after the policy has been updated so we need to make sure the policies of the
trade so we are going to restart the computer and with like - I am two or three minutes or less just with like
four minutes and so to make sure that the policy has been fully enforced on this computer and then we see the
results so let me just restart this computer click kristance so let me just okay let me not delay the
time of this video so just pause it and when you come to a story started I will come back so when we log on to this
computer and as the first one and we try to so we going out to go back to your domain controller and here just try to
refresh your computer to refresh and I computer try to refresh and here we have the first computer and here you can see
the BitLocker key has also been written to Active Directory so I'll give some to the kids you did see the BitLocker key
recovery key on your Windows properties for computer which has already bit joined to the domain Atta and
configuring this process what you need to do is just to go to your computer log off to the computer and try to log on
again a second time actually you will see the recovery key or the password and ID and recovery password on your Windows
10 properties so this is how you actually configured Windows BitLocker password ID and recovery password to
active directory so please if you think this video has been of any help to you please don't forget to give me a like or
just leave a comments and if you have any question concerning bit Locker you can always always send me an email to
cage your computers at gmail.com so what I'm going to do is I'm going to leave the scripts which I used to enforce this
BitLocker I'm going to leave the script below on my youtube on the on this video so you can as well use this script to in
Limited on a test environment environment or in a production environment because I'm actually using
it also in a production environment I'm using this scripting and production environments which of course is helping
me to make sure that all computers which was joined to the domain controller before we implement this policy now we
are now having this password being sent to Active Directory so my name is Calvin Johnson please if you have any question
also you have any question on office365 you can as well send me an email and I will respond as quick as possible
Heads up!
This summary and transcript were automatically generated using AI with the Free YouTube Transcript Summary Tool by LunaNotes.
Generate a summary for freeRelated Summaries
Securing Your APIs in Azure API Management with OAuth
Learn how to protect your APIs in Azure API Management using OAuth. Secure your APIs effectively with our detailed guide!
Mastering General Security Concepts for Security Plus Exam 2024
Dive into key concepts of security controls, change management, and cryptographic solutions for Security Plus Exam prep.
Troubleshooting Laptop Issues: A Comprehensive Guide for Technicians
Learn essential tips and techniques for troubleshooting common laptop issues effectively.
A Comprehensive Guide to Bluetooth Pairing: Connecting Your Devices Securely
Learn the Bluetooth pairing process and how to connect devices securely with this step-by-step guide.
Essential Configuration Settings for Your New Mobile Device
Learn how to configure crucial settings on your new mobile device for seamless functionality.
Most Viewed Summaries
A Comprehensive Guide to Using Stable Diffusion Forge UI
Explore the Stable Diffusion Forge UI, customizable settings, models, and more to enhance your image generation experience.
Pamaraan at Patakarang Kolonyal ng mga Espanyol sa Pilipinas
Tuklasin ang mga pamamaraan at patakarang kolonyal ng mga Espanyol sa Pilipinas at ang mga epekto nito sa mga Pilipino.
Pamamaraan at Patakarang Kolonyal ng mga Espanyol sa Pilipinas
Tuklasin ang mga pamamaraan at patakaran ng mga Espanyol sa Pilipinas, at ang epekto nito sa mga Pilipino.
Kolonyalismo at Imperyalismo: Ang Kasaysayan ng Pagsakop sa Pilipinas
Tuklasin ang kasaysayan ng kolonyalismo at imperyalismo sa Pilipinas sa pamamagitan ni Ferdinand Magellan.
Pamamaraan ng Pagtamo ng Kasarinlan sa Timog Silangang Asya: Isang Pagsusuri
Alamin ang mga pamamaraan ng mga bansa sa Timog Silangang Asya tungo sa kasarinlan at kung paano umusbong ang nasyonalismo sa rehiyon.
If you found this summary useful, consider buying us a coffee. It would help us a lot!