Requesting Clarification on Protectors & plugin functionality (and limits)

[help4mepls]

I have read the posts here to better understand the method and utility of the plugin. I am able to verify I can see some devices with encrypted volumes, and some of the encrypted devices also show they have protectors. I also have some others that say they are encrypted with no protectors. I saw in one of your posts that you said you had to add protectors to a drive before you could encrypt it. So I guess I am hoping you can explain a bit more about what that requirement means.(viewtopic.php?p=9788&hilit=add+at+least ... ctor#p9788)

I see that i can add multiple protectors. I saw someone said that they're layers. Does that mean if I add multiple protectors I have to be able to unlock both of them? or is each one a different lock on a different door? or are they different ways to open the same lock?
Hopefully my questions make sense.

Additionally I saw the function to Backup my protectors to LDAP. Is this backing them up to the domain that a given machine is joined to? Where in the LDAP is it being stored? How is it being stored? what permissions are required for someone to query this value in a usable way?

[Cubert]

I have read the posts here to better understand the method and utility of the plugin. I am able to verify I can see some devices with encrypted volumes, and some of the encrypted devices also show they have protectors. I also have some others that say they are encrypted with no protectors. I saw in one of your posts that you said you had to add protectors to a drive before you could encrypt it. So I guess I am hoping you can explain a bit more about what that requirement means.(viewtopic.php?p=9788&hilit=add+at+least ... ctor#p9788)

For clarification and make sure we are communicating the correct data I will post a couple of URLS, I hate just pointing to some url to explain away things but Bitlocker has changed with every OS release and not all things may apply anymore. So lets read it from the update MS documents.

https://learn.microsoft.com/en-us/windo ... windows-10

and

https://learn.microsoft.com/en-us/windo ... deployment

can I add multiple protectors

Absolutely, you can have several key protectors at once, the most common setup is having a TPM and Recovery Password set of protectors applied to your volume. (each volume can and does have separate but the same key protectors available to it). TPM protector will unlock the volume on boot up and if the drive fails TPM you can force an unlock with the recovery Password. But you would not use the recovery password first. (Any one key protector can unlock the volume even though multiple key protectors exist on volume)


The plugin is a tool to that allows you to enable key protectors on any volumes available for an agent, it allows you to then control volume after encryption, (lock, unlock, suspend, unsuspend add and remove protectors and store keys, pin codes and passwords in Automate) You are able to do this in mass and without disturbing the agents desktop.

You can export in SQL all the keys stored in the Automate database using SQL query tool.

[help4mepls]

Thank you for your response. It has helped me complete our project to setup protectors and enable protection on all the systems at one of our clients.

There is one thing that I haven't been able to find anywhere and that is a method to test the recovery keys that are captured by the plugin.

I found answers on the web that recommended restarting into SafeMode but that didn't prompt for the key. I can't use the Lock command from the plugin on the OS drive, because of course i can't force dismount of the OS.

Has anyone ever found a solution for this?

[Cubert]

You can verify key with the following powershell command

Code: Select all

(Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword"}

[help4mepls]

Yeah, I understand how to query the key(s) from powershell, and I also have successfully built a nice SQL query to get a summary of all my different systems which have encrypted volumes, how many, how many protectors, whether protection is on, and all the recovery passwords that exist for each of them.

I just wanted to actually be able to trigger a system to prompt me for the recovery key so I could verify that it would accept the key I have. So far, I have incidentally had to use 1 out of 150 keys I have captured. Just like testing any backup, it seemed that testing all the other recovery keys when it's not emergent would be wise.

[chris10385]

Thank you for your response. It has helped me complete our project to setup protectors and enable protection on all the systems at one of our clients.

There is one thing that I haven't been able to find anywhere and that is a method to test the recovery keys that are captured by the plugin.

I found answers on the web that recommended restarting into SafeMode but that didn't prompt for the key. I can't use the Lock command from the plugin on the OS drive, because of course i can't force dismount of the OS.

Has anyone ever found a solution for this?

How were you able to enable bitlocker after getting the keys created??

[help4mepls]

Preface: I am not responsible for any consequences of following the below information. I recommend you have a backup of any system before you start messing with bitlocker on it if you are not confident and familiar. The below commands can be found easily online as well.


Bitlocker is commonly enabled from the factory but may not have any encryption protectors in place. This means that if there is an issue automatically unlocking the volume, you may be locked out. To prevent that, we add Protectors.

The default protector type is a TPM protector, but this may not protect us in all cases. For this reason we require at least 1 "RecoveryPasswordProtector" in place on any encrypted OS volume we are responsible for.

manage-bde.exe
This is a regular .exe and can be run in command prompt OR powershell interchangeably. You must run the prompt as Administrator to use it.

manage-bde examples:

• manage-bde -status This command gives you bitlocker status output of all drives on the system.

• manage-bde -on c: If the drive is 0% encrypted, This command encrypts the C: drive, adds a TPM protector, and then sets the system to do a hardware test on the next boot. It will not begin encryption of the volume until the hardware test is completed.

• manage-bde -off c: This command disables Bitlocker protection, decrypts the c: drive, and removes all protectors. It will start the decryption process first, and the protectors will not be removed until the drive is 100% decrypted.

----------------
Powershell commands:

• Get-BitlockerVolume -Mountpoint C: This command will fetch the status of the bitlocker volume mounted at C:
  In this example, the volume is not encrypted at all, with no protectors and Protection is disabled.

• $BLV=Get-BitlockerVolume -Mountpoint C: In this command, i have stored an object that represents the state of the bitlocker volume mounted as the C: drive, and stored it in a variable named BLV. The $ indicates it is a variable name. The next two commands show me referencing the VolumeStatus and EncryptionPercentage properties of the BLV object.

• $TpmState=Get-Tpm; $TpmState | Format-List gets the state of the TPM and stores it in $TpmState variable, then prints it in list format. You need it to be present, ready, enabled, activated, and owned.

• Enable-Bitlocker C: -TpmProtector -SkipHardwareTest -UsedSpaceOnly This command will encrypt the used space on the C: drive, skip testing the hardware first (and therefore not require a reboot), add a TPM Protector, and then enable protection when it's completed encrypting.

• Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector This command adds a RecoveryPasswordProtector to the C: drive. You can add as many protectors as you want, and any 1 protector is sufficient to unlock the drive. You can specify a protector key if you want, but I am letting the system generate its own. There are other types of protectors available as well.

Other notes about bitlocker: You will want to suspend bitlocker before doing any updates, especially BIOS updates or driver updates.