1
00:00:01,040 --> 00:00:03,330
In this demonstration, we'll look at BitLocker,

2
00:00:03,330 --> 00:00:06,780
deployment, configuration, setup, Active Directory,

3
00:00:06,780 --> 00:00:08,140
key escrow,

4
00:00:08,140 --> 00:00:11,740
and then we'll test the process of putting a server in recovery

5
00:00:11,740 --> 00:00:15,700
mode and retrieving the key from Active Directory.

6
00:00:15,700 --> 00:00:18,470
So we're looking at the desktop of my domain controller,

7
00:00:18,470 --> 00:00:21,440
a Windows Server 2022 machine.

8
00:00:21,440 --> 00:00:22,720
And to set the stage here,

9
00:00:22,720 --> 00:00:26,780
we'll want to do our work in not Active Directory Users and Computers,

10
00:00:26,780 --> 00:00:31,420
but let me instead go to Run gpmc.msc to bring up the

11
00:00:31,420 --> 00:00:36,650
Group Policy Management console, and we'll edit the Default Domain Policy,

12
00:00:36,650 --> 00:00:39,160
and let me show you where the appropriate BitLocker

13
00:00:39,160 --> 00:00:40,820
Drive Encryption policies are.

14
00:00:40,820 --> 00:00:45,340
Let's go under Policies, Administrative Templates,

15
00:00:45,340 --> 00:00:48,950
Windows Components, BitLocker Drive Encryption.

16
00:00:48,950 --> 00:00:51,550
And I've set a couple of policies here I want to show you.

17
00:00:51,550 --> 00:00:55,250
First of all, at the root level here under BitLocker Drive Encryption,

18
00:00:55,250 --> 00:00:57,140
we have the policy.

19
00:00:57,140 --> 00:00:59,040
Let me stretch this out for you,

20
00:00:59,040 --> 00:01:04,240
Store BitLocker recovery information in Active Directory Domain Services.

21
00:01:04,240 --> 00:01:08,990
So I've enabled the policy, and I'm going to require BitLocker backup to AD DS,

22
00:01:08,990 --> 00:01:14,610
and your choices are to backup just the recovery password or

23
00:01:14,610 --> 00:01:17,530
the recovery password with the key package.

24
00:01:17,530 --> 00:01:21,140
I'm just going to do recovery password backup here.

25
00:01:21,140 --> 00:01:23,300
And so the benefit here, the use case,

26
00:01:23,300 --> 00:01:27,390
is that your support staff then will have a way to help your users

27
00:01:27,390 --> 00:01:31,150
unlock their drives if they're in recovery mode and they don't

28
00:01:31,150 --> 00:01:35,140
happen to have the password themselves, all right?

29
00:01:35,140 --> 00:01:38,940
Let's cancel out of there because I've already set this policy.

30
00:01:38,940 --> 00:01:42,740
And then we have separate folders for Fixed Data Drives,

31
00:01:42,740 --> 00:01:45,520
Operating System Drives, and Removable Drives.

32
00:01:45,520 --> 00:01:48,340
Let's go to Operating System Drives.

33
00:01:48,340 --> 00:01:51,000
And I'd mentioned the Network Unlock,

34
00:01:51,000 --> 00:01:53,840
that's just something you can enable or not,

35
00:01:53,840 --> 00:01:59,100
and this will allow when your server is on your domain LAN,

36
00:01:59,100 --> 00:02:03,400
you can do remote management by rebooting and transparently unlocking

37
00:02:03,400 --> 00:02:07,940
the system even if it's set with a PIN protector.

38
00:02:07,940 --> 00:02:10,770
We've got require additional authentication.

39
00:02:10,770 --> 00:02:11,980
This is a common choice,

40
00:02:11,980 --> 00:02:16,190
used to be more common in years back before the TPM became a

41
00:02:16,190 --> 00:02:19,080
pretty standard component on system motherboards.

42
00:02:19,080 --> 00:02:22,840
But I actually, in my lab, don't have TPM available,

43
00:02:22,840 --> 00:02:27,740
so I'm specifying to allow BitLocker without a compatible TPM.

44
00:02:27,740 --> 00:02:33,740
And I'm setting all of these policies down here not to work with TPM.

45
00:02:33,740 --> 00:02:34,650
Anything else here?

46
00:02:34,650 --> 00:02:40,640
Yes, choose how BitLocker‑protected operating system drives can be recovered.

47
00:02:40,640 --> 00:02:43,760
I'm going to allow not only the data recovery agent,

48
00:02:43,760 --> 00:02:47,700
which is a way to delegate the ability for people to

49
00:02:47,700 --> 00:02:52,150
recover BitLocker recovery systems, but beyond that,

50
00:02:52,150 --> 00:02:55,800
I'm going to configure user storage of BitLocker recovery

51
00:02:55,800 --> 00:03:00,060
information and save BitLocker recovery information to AD

52
00:03:00,060 --> 00:03:01,970
DS for operating system drives.

53
00:03:01,970 --> 00:03:05,940
And I'm again just going to store the recovery passwords.

54
00:03:05,940 --> 00:03:11,040
So I've put all of those policies into effect, so they are currently in use.

55
00:03:11,040 --> 00:03:11,590
And next,

56
00:03:11,590 --> 00:03:16,720
let me show you the workflow for deploying or setting up BitLocker on a Windows

57
00:03:16,720 --> 00:03:20,840
Server system just to make sure you understand the workflow.

58
00:03:20,840 --> 00:03:23,210
Here we are on my MEM1 server.

59
00:03:23,210 --> 00:03:27,440
I'm going to open up Start and look for BitLocker.

60
00:03:27,440 --> 00:03:30,940
Let's go to the BitLocker Control Panel.

61
00:03:30,940 --> 00:03:32,090
If it doesn't open,

62
00:03:32,090 --> 00:03:35,220
which it appears to not be available yet on this

63
00:03:35,220 --> 00:03:36,830
system. Let me try one more thing.

64
00:03:36,830 --> 00:03:41,140
Let me go to old‑fashioned Control Panel here.

65
00:03:41,140 --> 00:03:41,390
Yes,

66
00:03:41,390 --> 00:03:45,720
I forgot that I took it for granted or started to take it for granted

67
00:03:45,720 --> 00:03:49,220
that in Server BitLocker is not installed by default,

68
00:03:49,220 --> 00:03:51,390
so I could do this with PowerShell.

69
00:03:51,390 --> 00:03:52,020
But I won't,

70
00:03:52,020 --> 00:03:55,200
I'll actually set this up the old‑fashioned way by

71
00:03:55,200 --> 00:03:57,570
going through Add Roles and Features.

72
00:03:57,570 --> 00:04:00,440
This is good practice for us anyway, actually.

73
00:04:00,440 --> 00:04:04,300
So let me step in past the roles and go to features,

74
00:04:04,300 --> 00:04:09,540
and I'm going to do BitLocker Drive Encryption set up here,

75
00:04:09,540 --> 00:04:12,140
and then click Next.

76
00:04:12,140 --> 00:04:15,640
Restart if necessary, then install.

77
00:04:15,640 --> 00:04:17,190
As I was saying a moment ago,

78
00:04:17,190 --> 00:04:20,990
the taking for granted meant that this BitLocker is

79
00:04:20,990 --> 00:04:25,040
natively available in Windows client, but not on Server.

80
00:04:25,040 --> 00:04:28,480
Okay, so coming back from the reboot on the server.

81
00:04:28,480 --> 00:04:30,590
Now that I've installed BitLocker, it is,

82
00:04:30,590 --> 00:04:33,820
in fact, available in the good old‑fashioned Control Panel.

83
00:04:33,820 --> 00:04:38,060
And as we can see, BitLocker Drive Encryption can affect both your system,

84
00:04:38,060 --> 00:04:41,660
your OS drive, any other fixed data drives,

85
00:04:41,660 --> 00:04:47,540
and then we have BitLocker To Go for our USB flash drives and removable disks.

86
00:04:47,540 --> 00:04:50,240
I'm going to turn on BitLocker.

87
00:04:50,240 --> 00:04:51,280
There we go,

88
00:04:51,280 --> 00:04:54,440
this is a good real‑world example where starting

89
00:04:54,440 --> 00:04:56,990
BitLocker has run into an issue here,

90
00:04:56,990 --> 00:05:01,230
so this could very well be maybe this server hasn't yet

91
00:05:01,230 --> 00:05:05,560
ingested the Group Policy that allows for no TPM.

92
00:05:05,560 --> 00:05:07,640
I'll have to investigate that.

93
00:05:07,640 --> 00:05:13,030
And through the magic of video editing, I'm now able to proceed to the next step.

94
00:05:13,030 --> 00:05:15,400
And what the problem turned out to be, I was clicking

95
00:05:15,400 --> 00:05:18,320
too fast on domain controller one.

96
00:05:18,320 --> 00:05:20,040
Let me quickly show you.

97
00:05:20,040 --> 00:05:23,240
So if we come back to that Group Policy way down

98
00:05:23,240 --> 00:05:26,890
under BitLocker Drive Encryption, Operating System Drive,

99
00:05:26,890 --> 00:05:30,160
we require additional auth at startup.

100
00:05:30,160 --> 00:05:34,130
I should have had configure TPM startup PIN set to

101
00:05:34,130 --> 00:05:38,180
allow instead of do not allow, that was the conflict in question.

102
00:05:38,180 --> 00:05:41,330
I assumed that this had to do with TPM. No,

103
00:05:41,330 --> 00:05:44,230
it's just the personal identification number.

104
00:05:44,230 --> 00:05:49,440
Since we're not using TPM, we're going to have to use the PIN protector.

105
00:05:49,440 --> 00:05:50,930
Okay, so we're asked first,

106
00:05:50,930 --> 00:05:53,630
how are we going to unlock the drive at startup? Are we

107
00:05:53,630 --> 00:05:56,260
going to do a USB dongle or a password?

108
00:05:56,260 --> 00:06:01,630
I'm going to do a password, so let me type that password in and confirm it.

109
00:06:01,630 --> 00:06:03,020
This will be the PIN.

110
00:06:03,020 --> 00:06:09,000
And then we can back up our recovery key to a number of different locations,

111
00:06:09,000 --> 00:06:11,240
print, save to file.

112
00:06:11,240 --> 00:06:11,750
Now,

113
00:06:11,750 --> 00:06:15,360
I found that BitLocker can be a bit strange if you

114
00:06:15,360 --> 00:06:17,200
don't have another data drive,

115
00:06:17,200 --> 00:06:22,570
it won't let you save the recovery key to the C drive,

116
00:06:22,570 --> 00:06:23,520
which makes sense.

117
00:06:23,520 --> 00:06:27,540
So let me choose Print, Print to PDF. ?=And again,

118
00:06:27,540 --> 00:06:32,050
I might run into some problems here unless I choose another location.

119
00:06:32,050 --> 00:06:38,760
So why don't I go to DC1, shares, and I'll call this mem1‑bitlocker‑key,

120
00:06:38,760 --> 00:06:41,640
that PDF.

121
00:06:41,640 --> 00:06:44,230
Okay, good, so let's click Next.

122
00:06:44,230 --> 00:06:47,340
How much of the drive do we want to encrypt?

123
00:06:47,340 --> 00:06:51,280
Encrypt used space only, faster encrypt entire drive,

124
00:06:51,280 --> 00:06:53,510
slower for drives that are already in use.

125
00:06:53,510 --> 00:06:55,740
Well, this is a new server.

126
00:06:55,740 --> 00:07:00,900
Are we going to use stronger encryption 256 or 128?

127
00:07:00,900 --> 00:07:02,640
I'm going to choose new.

128
00:07:02,640 --> 00:07:04,970
Are we going to run the system check first?

129
00:07:04,970 --> 00:07:06,610
That's always a good idea.

130
00:07:06,610 --> 00:07:09,510
And then it will restart the computer before encrypting,

131
00:07:09,510 --> 00:07:12,700
that'll run down in the notification area or the

132
00:07:12,700 --> 00:07:15,860
system tray after the machine restarts.

133
00:07:15,860 --> 00:07:19,220
So there we go, encryption will begin after computer restart.

134
00:07:19,220 --> 00:07:20,740
Click here.

135
00:07:20,740 --> 00:07:25,440
So let's restart, and I'll see you on the other side.

136
00:07:25,440 --> 00:07:27,540
All right, I'm back from the reboot,

137
00:07:27,540 --> 00:07:31,410
and let me show you the screen I saw when I rebooted the machine.

138
00:07:31,410 --> 00:07:33,680
So when you're using the PIN protector,

139
00:07:33,680 --> 00:07:36,300
the downside there is that you have to interactively

140
00:07:36,300 --> 00:07:38,590
use a password to unlock the drive.

141
00:07:38,590 --> 00:07:40,770
The downside, though, as I'd mentioned before,

142
00:07:40,770 --> 00:07:42,660
if you're not using Network Unlock,

143
00:07:42,660 --> 00:07:45,080
you could run into problems with servers and data

144
00:07:45,080 --> 00:07:47,500
centers that you're remotely servicing,

145
00:07:47,500 --> 00:07:51,350
and you cannot interactively get to the keyboard and terminal like that,

146
00:07:51,350 --> 00:07:55,770
you know, but that's what we've got today with this Pin protector.

147
00:07:55,770 --> 00:07:57,770
And if I come down in the system tray,

148
00:07:57,770 --> 00:08:01,940
I can see that BitLocker Drive Encryption is in progress here,

149
00:08:01,940 --> 00:08:03,690
and it looks like it's almost completed.

150
00:08:03,690 --> 00:08:04,720
That's good to see.

151
00:08:04,720 --> 00:08:09,710
And then if we click Manage BitLocker, that brings us back to the Control Panel,

152
00:08:09,710 --> 00:08:12,710
where we can make another backup of our recovery key,

153
00:08:12,710 --> 00:08:17,640
can change or remove the PIN, we can turn off BitLocker Drive Encryption.

154
00:08:17,640 --> 00:08:23,040
Now there's also a manage‑bde command that we can use.

155
00:08:23,040 --> 00:08:27,040
Let me bring out a elevated PowerShell console here.

156
00:08:27,040 --> 00:08:28,750
And again, typically,

157
00:08:28,750 --> 00:08:34,040
let me change the font and size to make it a bit easier to read.

158
00:08:34,040 --> 00:08:39,850
Manage‑bde is the non‑PowerShell,

159
00:08:39,850 --> 00:08:42,600
the decidedly non‑PowerShell BitLocker Drive

160
00:08:42,600 --> 00:08:44,580
Encryption Tool. And as you can see,

161
00:08:44,580 --> 00:08:47,650
it has a number of parameters where you can work with the service.

162
00:08:47,650 --> 00:08:50,540
But what we're going to do is a ForceRecovery,

163
00:08:50,540 --> 00:08:55,290
and that's nice because that's a fire drill exercise that gives you an

164
00:08:55,290 --> 00:09:01,090
opportunity to see what the unlock process is if BitLocker is in a state

165
00:09:01,090 --> 00:09:06,560
where it thinks that maybe the drive has been stolen or the drive has

166
00:09:06,560 --> 00:09:09,310
been put in another computer chassis, in other words,

167
00:09:09,310 --> 00:09:13,340
the normal state of operations has been interrupted.

168
00:09:13,340 --> 00:09:16,770
Another thing we can take a look at here if I clear the screen

169
00:09:16,770 --> 00:09:20,540
is let's do a get command using PowerShell.

170
00:09:20,540 --> 00:09:27,150
And I'm going to do where the verb is get and where the noun includes bitlocker.

171
00:09:27,150 --> 00:09:33,100
I'll do a fuzzy match, so it looks like there's Get‑BitLockerVolume.

172
00:09:33,100 --> 00:09:35,470
Actually, let's try something else,

173
00:09:35,470 --> 00:09:40,380
Get‑Command from the module BitLocker to see all of

174
00:09:40,380 --> 00:09:41,980
the commands that are in there.

175
00:09:41,980 --> 00:09:45,520
So here we can get BitLocker information,

176
00:09:45,520 --> 00:09:47,310
we can do enable and disable,

177
00:09:47,310 --> 00:09:51,960
so this would be for programmatic use where you want to manage BitLocker on,

178
00:09:51,960 --> 00:09:52,200
say,

179
00:09:52,200 --> 00:09:55,590
a whole bunch of servers and issue a script once

180
00:09:55,590 --> 00:09:57,580
instead of having to do all this clicky,

181
00:09:57,580 --> 00:10:01,900
clicky stuff that we're doing manually, ain't nobody got time for that.

182
00:10:01,900 --> 00:10:05,940
So let's force recovery, and let me show you how that works.

183
00:10:05,940 --> 00:10:13,890
Manage‑bde ‑forcerecovery, whoops, I didn't get the syntax quite right.

184
00:10:13,890 --> 00:10:17,150
I have to add which volume it is that we're going to force recovery on.

185
00:10:17,150 --> 00:10:27,000
I'm going to do C. Okay, so let's do a restart‑computer ‑force to go into recovery mode.