Table of Contents

Windows Bitlocker

Bitlocker vs. EFS: https://www.howtogeek.com/236719/whats-the-difference-between-bitlocker-and-efs-encrypting-file-system-on-windows/

Auto Unlock: https://petri.com/how-to-configure-bitlocker-auto-unlock

:!: Keep in mind that if enabled, and using the password option, you will not be able to access the PC via RDP if it is rebooted.

Bitlocker has been available since Windows Vista but only in Professional and Enterprise versions.

Control Panel

Bitlocker Control Panel Applet

CLI

Show Bitlocker Info

manage-bde -status
manage-bde -protectors -get e:
Get-BitLockerVolume
Get-BitlockerVolume -MountPoint "E:"

Enable Bitlocker

:!: These commands will allow you to specify a startup key on most any drive, not just USB drives.

:!: The -usedspaceonly switch is needed for thinly provisioned storage.

Add protectors and encrypt drive C:

manage-bde -protectors -add C: -recoverypassword -password -startupkey E:
manage-bde -status
manage-bde -on C: -usedspaceonly

Manage Bitlocker

Delete a protector:

manage-bde -protectors -delete c: -id {Protector-ID}

Bitlocker without TPM (Trusted Platform Module)

When enabling Bitlocker it will check to see if your computer has TPM. If not, it will throw a message that you can use Bitlocker without it but need to change a Local Group Policy.

  1. In the Windows 10 Search box type gpedit.msc and press Enter to start the Local Group Policy Editor.
  2. Go to Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives.
  3. In the right-hand pane double-click Require additional authentication at startup.
  4. Check the Enabled radio button and make sure that the box Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box is checked. Then click OK.

Enable Bitlocker

  1. Login to your PC as administrator
  2. Go to the File Explorer, right-click drive C and select Turn on BitLocker.
  3. You are given a choice to either Insert a USB flash drive or Enter a password.
  4. If you choose the option to insert a removable USB flash drive, it will save the startup key on the USB flash drive. This will be used to unlock the operating system drive after each reboot. NOTE: Unlike the recovery key, the startup key is not a text file. It has the file extension .BEK.
  5. If you select the option to enter a password, you will enter the password and confirm it. Make sure you use a long, secure pass phrase. This password will be required each time the computer is rebooted.
  6. Next, you will be given several options for storing the recovery key.The easiest thing to do is to use the option Save to a file.
  7. After you have saved the recovery key to a file, click Next.
  8. If you are setting up BitLocker on a new drive, you only need to encrypt the part of drive that is being used. When you add additional data, BitLocker will automatically encrypt that data.
  9. If you have already been using your computer for a while, select the second option Encrypt entire drive (Slower but best for PCs and drives already in use).
  10. Depending on the size of the hard drive and the amount of data, the encryption process can take a long time so be patient.
  11. You will be prompted to restart the computer.
  12. After the computer reboots, it will start encrypting the drive. You won’t see any progress bar unless you click the icon in the system tray for Bitlocker.

Change the Bitlocker Password

You may want to change the password that unlocks your hard drive for various reasons. If you know the current password you can change it. A minimum of 8 characters is required and a mixture of upper case, lower case, numeric and special characters is recommended.

:!: DO NOT FORGET YOUR NEW PASSWORD.

  1. In File Explorer right click the drive that is encrypted.
  2. Choose Change Bitlocker Password.
  3. Enter the current password and then the new password twice.
  4. Click Change Password.

FIPS 140-2 Compliance

Install Bitlocker Feature: https://abouconde.com/2019/05/20/encrypt-drives-with-bitlocker-on-windows-server-2019/

Enable FIPS Compliance Policy: https://blogs.oracle.com/cloud-infrastructure/windows-server-fips-compliance-v2

Video Howto: https://www.youtube.com/watch?v=Ujac3q_yBrc

Active Directory

Use adsiedit.msc to delete keys from AD if they are no longer needed.

Bitlocker Info Stored in AD

Group Policy Settings: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

https://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#active-directory-domain-services-considerations

https://www.rootusers.com/deploy-bitlocker-without-a-trusted-platform-module-tpm/

https://techdirectarchive.com/2020/12/30/backup-bitlocker-recovery-keys-to-ad-how-to-enable-bitlocker-via-the-local-group-policy-editor-and-the-group-policy-management-console-2/

https://www.experts-exchange.com/articles/33289/How-to-create-a-file-based-bitlocker-protector-for-recovery-and-support-purposes.html

Import-module ActiveDirectory
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}
Get-ADComputer 'some-computer-name'| Get-ADObject -properties * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated