Shulou(Shulou.com)06/03 Report--

The boss yesterday showed Douzi how to configure BitLocker uniformly. It took Douzi a day to flip through all the materials on the Internet. The Chinese materials are basically too rudimentary and useless, while the English materials are a lot of them, but they are quite messy. I probably read 8 different reference materials from 7Grai. I summarized the whole basic configuration process. BitLocker has a variety of application scenarios, some things are limited to the level and time, may not be accurate enough, and will be slowly corrected and added later.

The following explanations are the vernacular understanding of beans:

Basic definition: first of all, what is BitLocker, simply used to encrypt the hard disk, so that if the hard disk is lost, on other computers, if there is no correct password, it is inaccessible.

Hardware: the use of Bitlocker requires hardware support. This hardware module is called TPM, which is generally available on computers and can be viewed in the device manager. However, there is no such thing on Macbook, so if you install Windows on your Apple computer and want to use Bitlocker, you need to use USB or a separate password to verify it. This article will not discuss ~

Operating system: OSX and Linux are not supported. The previous operating system win7 pro is not supported, and the versions supported by win7 are limited to Ultimate and Enterprise versions, and are supported by various versions after Win8.

How to play:

BitLocker divides the hard disk into OS,Data and removable, all of which can be encrypted. After encryption, you will see that there is an extra lock on the drive letter; if the accessible status lock is opened, if it cannot be accessed, the lock will be buckled; there are generally three ways to unlock: password or PIN,recovery key and data recovery agent (in fact, certificate unlocking). After locking, any way can unlock the posture.

PIN can generally be set by the user, he will generate a Recovery Key at the same time, if you forget the password, you can use this Key to unlock, the Key can be saved in a file, network or AD; data recovery agent is a signed certificate, as long as the corresponding certificate and private key are imported on the corresponding computer, you can unlock it through the Thumprint of this certificate. This thing is troublesome and confusing, which will be explained later.

In addition, there are many specific settings, such as you can set the hard drive connected to a computer to automatically unlock, the network is unlocked, the user sets PIN, the operating system's hard disk verifies PIN before booting, and so on.

Specific operations:

Let's take a look at the steps of how to configure:

Add Scheme

Configure permissions to allow saving Recovery key to AD

DC installs feature of BitLocker

Configure CA and sign certificates

Configure GPO Group Policy

Push existing BitLocker computers to AD

Use the manage-bde tool to test

Let's take a look at Scheme first.

Generally speaking, the DC after Server 2008 R2 does not need to be added manually. You can check it through this Powershell command. If the returned value has the following five objects, congratulations, you can skip the first step.

PS C:\ WINDOWS\ system32 > Get-ADObject-SearchBase ((GET-ADRootDSE) .SchemaNamingContext)-Filter {Name-like "* ms-FVE*"} DistinguishedName Name ObjectClass ObjectGUID- -CN=ms-FVE-RecoveryInformation CN=Schema,CN=Configuration,DC=omnicom,DC=com,DC=au ms-FVE-RecoveryInformation classSchema 6dc4c79b-f090-4930-abb3-05b6a0c6db49CNtravelmsWhile FVEMER RecoveryGuidMagic DCategory ConfigurationRecoveryGuidMagic DCategory composeRecoveryGuidrecovery4cf84fd3620fClearmsMovedFVEREVE VolumeGuidMold CNCoulomnicomRecomnicomMagic DCleavcomComponent DClearau ms-FVE-VolumeGuid attributeSchema c6cb202b-59b3-485fff063fd85319c57d9CNtravelmsRecoveryPasswordand CNcake SchemaConfigurationand DCcards omnicommlcDClearomnicommce.com DC=au ms-FVE-RecoveryPassword attributeSchema 6370af52-3375-4961-8f67-50f9dbc6d9b2CNpummsWhich FVEKey KeyPackagejewcConfigurationDClearomnicomMagnedDCentro ms-FVE-KeyPackage attributeSchema 2b3a4e41-35ca-4c41-b09f-0286bb80086

two。 Add permissions to AD

First, you need to download a few VBS scripts from the official website. Now that we are in the age of Powershell, Microsoft has not improved the method it used 10 years ago.

Https://technet.microsoft.com/en-us/library/dn466534.aspx#Sample scripts

Copy and paste the script and save it to the C:\ Bitlocker directory in DC

Execution

Then you can add permissions.

Open ADUC, correspond to the OU where the computer object is stored, and then Delegate Control

Open the wizard

Add user

Add Self

Select Custom

Select object Computer

Select permission to write information to TPM

End

In this way, the computer has permission to write TPM information to AD.

3. Install feature of BitLocker on DC. There is nothing to say about this. Click Server Manager, install BitLocker, and restart DC. DC automatically installs Bitlocker Viewer.

4. Configure CA and certificates. The configuration of data recovery agent is the most confusing step of all the processes. The configuration of CA will not be discussed here, it is mainly about the issuance of certificates. Some documents say that you need to copy a Key Recovery certificate template, then manually add the Application Extension, issue it to the user, and finally configure the certificate and private key to the corresponding computer. The beans' own test results didn't work well.

The actual test results show that there is no need for so much trouble, I can directly sign the certificate of basic EFS, and then successfully use this certificate to unlock the USB drive on multiple computers.

Open SnapIn,Personal-> Certificate-> Request New Certificate of Certificate in MMC

Next all the way down.

Select Basic EFS~

After successful Enrol, find the issued certificate, double-click, and select 'Copy to File'

Be careful to export the private key

Save the exported PFX file and install it on the computer that needs to be tested later.

5. The most important thing is to configure GPO. The officially recommended configuration is as follows, which can be modified according to your own needs.

Https://technet.microsoft.com/en-us/library/dd875532(WS.10).aspx

However, the above is only part of the BitLocker, and the following group policy needs to be modified.

Computer Configuration-> Administrative Template-> System-> Trusted Platform Module Service

Enable is a service. The DC of beans is windows 2008 R2. It is said that this option is no longer available in Windows 2012.

In addition, we also need to configure the GPO of Data Recovery Agent

Computer Configuration-> Policies-> Windows Settings- > Security Settings- > Public Key Policies, then right-click BitLocker Drive Encryption and select Add Data Recovery Agent.

Click Next

Here I choose Browse Directory directly, and then choose my own account (because the EFS certificate I signed before is using my own account)

He will prompt me to choose which certificate to bind, because I did the test and signed N different certificates on my account. Just choose the EFS that we generated earlier.

Any number of them can be bound here, and any one of them can theoretically be used to unlock.

At this point, the configuration is basically complete. All that's left is to push GPO to the computer.

6. If a computer already has BitLocker turned on, then we also need to push the existing Recovery Key to AD.

Execute the following command to get the ID and password of the corresponding disk

PS C:\ WINDOWS\ system32 >.\ manage-bde.exe-protectors-get c:BitLocker Drive Encryption: Configuration Tool version 10.0.15063Copyright (C) 2013 Microsoft Corporation. All rights reserved.Volume C: [Windows] All Key Protectors Numerical Password: ID: {5AE32687-8E48-46D9-8096-9394B996323A} Password: 003135-453508-448393-555390-091179-159577-396374-379665 TPM: ID: {D25D3302-CC81-4FA5-BA41-F84F64D4246F} PCR Validation Profile: 7 11 (Uses Secure Boot for integrity validation) Data Recovery Agent (Certificate Based): ID: {7184E029-D82C-47D8-AEA1-507E1EB8FAC6} Certificate Thumbprint: 482bda8296519fbdb95e3228ff021d1cf2c62ab2

Push to AD

PS C:\ WINDOWS\ system32 >.\ manage-bde.exe-protectors-adbackup c:-id'{5AE32687-8E48-46D9-8096-9394B996323A} 'BitLocker Drive Encryption: Configuration Tool version 10.0.15063Copyright (C) 2013 Microsoft Corporation. All rights reserved.Recovery information was successfully backed up to Active Directory.PS C:\ WINDOWS\ system32 >

Log in to ADUC and check that it has been successfully maintained to AD.

7. test

I have three types of drive letters on my computer, one is the operating system C disk, the other is the E disk containing data, and there is a U disk D.

Look at the status.

PS C:\ WINDOWS\ system32 > PS C:\ WINDOWS\ system32 >.\ manage-bde.exe-statusBitLocker Drive Encryption: Configuration Tool version 10.0.15063Copyright (C) 2013 Microsoft Corporation. All rights reserved.Disk volumes that can be protected withBitLocker Drive Encryption:Volume C: [Windows] [OS Volume] Size: 231.29 GB BitLocker Version: 2.0 Conversion Status: Used Space Only Encrypted Percentage Encrypted: 100.0% Encryption Method: AES 128 Protection Status: Protection On Lock Status: Unlocked Identification Field: omnicom Key Protectors: Numerical Password TPM Data Recovery Agent (Certificate Based) Volume E: [Data] [Data Volume] Size: 0.49 GB BitLocker Version: 2.0 Conversion Status: Used Space Only Encrypted Percentage Encrypted: 100.0% Encryption Method: XTS-AES 128 Protection Status: Protection On Lock Status: Unlocked Identification Field: omnicom Automatic Unlock: Disabled Key Protectors: Numerical Password Password Data Recovery Agent ( Certificate Based) Volume D: [Label Unknown] [Data Volume] Size: Unknown GB BitLocker Version: 2.0 Conversion Status: Unknown Percentage Encrypted: Unknown% Encryption Method: AES 128 Protection Status: Unknown Lock Status: Locked Identification Field: Unknown Automatic Unlock: Disabled Key Protectors: Numerical Password Password Data Recovery Agent (Certificate Based)

Disk D and disk E I can set or change the password in the image interface. Disk D is not displayed at present because I deliberately locked it. In fact, once the flash drive is unplugged and plugged back in, regardless of whether it is the same computer or not, as long as the Bitlocker is opened on him before, his status is locked and needs to be unlocked in any of three ways to access it.

Let's show you how to unlock it. Double-click disk D, and it will pop up the following dialog box. We can enter our own password to unlock, or recovery key to unlock, recovery key to view on ADUC, or manage-bde-protectors-get d: to view when unlocked.

After unlocking it, you can access it.

Finally, take a look at how to unlock through a certificate.

First, manually lock the D disk.

PS C:\ WINDOWS\ system32 >.\ manage-bde.exe-lock d:BitLocker Drive Encryption: Configuration Tool version 10.0.15063Copyright (C) 2013 Microsoft Corporation. All rights reserved.Volume D: is now locked

Check whether the corresponding certificate is configured and what is the fingerprint.

PS C:\ WINDOWS\ system32 >.\ manage-bde.exe-protectors-get d:BitLocker Drive Encryption: Configuration Tool version 10.0.15063Copyright (C) 2013 Microsoft Corporation. All rights reserved.Volume D: [Label Unknown] All Key Protectors Numerical Password: ID: {92319191-E7DC-4393-875A-663926AC47D7} Password: ID: {DCF42582-F2C3-44A7-81E2-6FC26685060E} Data Recovery Agent (Certificate Based): ID: {AD39876C-3D7C-4444-91BA-EFE6C11ACE34} Certificate Thumbprint: 482bda8296519fbdb95e3228ff021d1cf2c62ab2

On the current computer, import the certificate and private key corresponding to the certificate fingerprint (the certificate file exported in step 4) to personal, and then execute the following command, which can also be unlocked.

PS C:\ WINDOWS\ system32 > manage-bde-unlock d:-certificate-ct 482bda8296519fbdb95e3228ff021d1cf2c62ab2BitLocker Drive Encryption: Configuration Tool version 10.0.15063Copyright (C) 2013 Microsoft Corporation. All rights reserved.The certificate successfully unlocked volume D:.

In an overview, the above demonstrates a basic process for configuring and using BitLocker in an AD environment, with some details not explained in detail.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.