Requesting Clarification on Protectors & plugin functionality (and limits)

This forum is used to support the BitLocker for Automate plugin. You will find documentation on the plugin as well as an area to post issues and requests. Please post
Post Reply
help4mepls
Posts: 4
Joined: Tue Aug 01, 2023 5:06 pm

Requesting Clarification on Protectors & plugin functionality (and limits)

Post by help4mepls »

I have read the posts here to better understand the method and utility of the plugin. I am able to verify I can see some devices with encrypted volumes, and some of the encrypted devices also show they have protectors. I also have some others that say they are encrypted with no protectors. I saw in one of your posts that you said you had to add protectors to a drive before you could encrypt it. So I guess I am hoping you can explain a bit more about what that requirement means.(viewtopic.php?p=9788&hilit=add+at+least ... ctor#p9788)

I see that i can add multiple protectors. I saw someone said that they're layers. Does that mean if I add multiple protectors I have to be able to unlock both of them? or is each one a different lock on a different door? or are they different ways to open the same lock?
Hopefully my questions make sense.

Additionally I saw the function to Backup my protectors to LDAP. Is this backing them up to the domain that a given machine is joined to? Where in the LDAP is it being stored? How is it being stored? what permissions are required for someone to query this value in a usable way?

User avatar
Cubert
Posts: 2429
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Requesting Clarification on Protectors & plugin functionality (and limits)

Post by Cubert »

I have read the posts here to better understand the method and utility of the plugin. I am able to verify I can see some devices with encrypted volumes, and some of the encrypted devices also show they have protectors. I also have some others that say they are encrypted with no protectors. I saw in one of your posts that you said you had to add protectors to a drive before you could encrypt it. So I guess I am hoping you can explain a bit more about what that requirement means.(viewtopic.php?p=9788&hilit=add+at+least ... ctor#p9788)

For clarification and make sure we are communicating the correct data I will post a couple of URLS, I hate just pointing to some url to explain away things but Bitlocker has changed with every OS release and not all things may apply anymore. So lets read it from the update MS documents.

https://learn.microsoft.com/en-us/windo ... windows-10

and

https://learn.microsoft.com/en-us/windo ... deployment

can I add multiple protectors
Absolutely, you can have several key protectors at once, the most common setup is having a TPM and Recovery Password set of protectors applied to your volume. (each volume can and does have separate but the same key protectors available to it). TPM protector will unlock the volume on boot up and if the drive fails TPM you can force an unlock with the recovery Password. But you would not use the recovery password first. (Any one key protector can unlock the volume even though multiple key protectors exist on volume)


The plugin is a tool to that allows you to enable key protectors on any volumes available for an agent, it allows you to then control volume after encryption, (lock, unlock, suspend, unsuspend add and remove protectors and store keys, pin codes and passwords in Automate) You are able to do this in mass and without disturbing the agents desktop.

You can export in SQL all the keys stored in the Automate database using SQL query tool.

help4mepls
Posts: 4
Joined: Tue Aug 01, 2023 5:06 pm

Re: Requesting Clarification on Protectors & plugin functionality (and limits)

Post by help4mepls »

Thank you for your response. It has helped me complete our project to setup protectors and enable protection on all the systems at one of our clients.

There is one thing that I haven't been able to find anywhere and that is a method to test the recovery keys that are captured by the plugin.

I found answers on the web that recommended restarting into SafeMode but that didn't prompt for the key. I can't use the Lock command from the plugin on the OS drive, because of course i can't force dismount of the OS.

Has anyone ever found a solution for this?

User avatar
Cubert
Posts: 2429
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Requesting Clarification on Protectors & plugin functionality (and limits)

Post by Cubert »

You can verify key with the following powershell command

Code: Select all

(Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword"}

help4mepls
Posts: 4
Joined: Tue Aug 01, 2023 5:06 pm

Re: Requesting Clarification on Protectors & plugin functionality (and limits)

Post by help4mepls »

Yeah, I understand how to query the key(s) from powershell, and I also have successfully built a nice SQL query to get a summary of all my different systems which have encrypted volumes, how many, how many protectors, whether protection is on, and all the recovery passwords that exist for each of them.

I just wanted to actually be able to trigger a system to prompt me for the recovery key so I could verify that it would accept the key I have. So far, I have incidentally had to use 1 out of 150 keys I have captured. Just like testing any backup, it seemed that testing all the other recovery keys when it's not emergent would be wise.

Post Reply

Return to “BitLocker for Automate”