1
00:00:01,140 --> 00:00:05,770
So this is what it looks like when you restart a server or client machine and

2
00:00:05,770 --> 00:00:09,780
you're in recovery mode. We're being asked for the recovery key for this

3
00:00:09,780 --> 00:00:13,990
drive. It's a little bit annoying that there's no copy/paste, so you're going

4
00:00:13,990 --> 00:00:16,740
to be in for some careful transcription.

5
00:00:16,740 --> 00:00:17,990
So the idea, of course,

6
00:00:17,990 --> 00:00:22,240
is how do you get your recovery key if you don't have your backup handy?

7
00:00:22,240 --> 00:00:24,650
Well, what we'll do next is I'll show you how to get that

8
00:00:24,650 --> 00:00:28,160
information from Active Directory because we set up Group Policy

9
00:00:28,160 --> 00:00:33,370
that way. Back to dc1 we go. This time, let's open up Active

10
00:00:33,370 --> 00:00:36,620
Directory Users and Computers, and you'll want to make sure that you

11
00:00:36,620 --> 00:00:39,060
have the Advanced Features turned on.

12
00:00:39,060 --> 00:00:41,470
And there's a couple things we can do once we've

13
00:00:41,470 --> 00:00:43,820
enabled these BitLocker features.

14
00:00:43,820 --> 00:00:47,500
And actually, it reminds me of a point. Let me bring up a script file that

15
00:00:47,500 --> 00:00:52,580
I share with you in the exercise files. In order to get the extensions to

16
00:00:52,580 --> 00:00:57,740
BitLocker that give you the unlock tool, you'll want to run line 8 here if

17
00:00:57,740 --> 00:01:00,790
you're going to do it with PowerShell, Install‑WindowsFeature. You'll do

18
00:01:00,790 --> 00:01:03,860
this on a domain controller, Install‑WindowsFeature

19
00:01:03,860 --> 00:01:08,440
RSAT‑Feature‑Tools‑BitLocker‑BdeAducExt.

20
00:01:08,440 --> 00:01:12,340
This is required to get to the Password Viewer tool in

21
00:01:12,340 --> 00:01:14,580
Active Directory Users and Computers.

22
00:01:14,580 --> 00:01:18,040
If you're just looking to install BitLocker on a server,

23
00:01:18,040 --> 00:01:21,720
you could run what's on line 7, Install‑WindowsFeature

24
00:01:21,720 --> 00:01:25,680
‑Name‑BitLocker. So once you're in advanced view, one thing we could

25
00:01:25,680 --> 00:01:29,870
do, as I said, is we can look at the properties of a server, like

26
00:01:29,870 --> 00:01:34,810
MEM1, and we now have a BitLocker Recovery tab where we've got the

27
00:01:34,810 --> 00:01:37,530
recovery password in plaintext.

28
00:01:37,530 --> 00:01:43,130
So here is where we can, for example, copy it out. Let me throw this into a

29
00:01:43,130 --> 00:01:48,940
new document file here in VS Code, and we could give that to the user in

30
00:01:48,940 --> 00:01:52,440
question to solve the problem and unlock the drive.

31
00:01:52,440 --> 00:01:56,460
Another way to do this would be using, again, that extension.

32
00:01:56,460 --> 00:02:00,100
If we right‑click the domain, notice that there's a new option here,

33
00:02:00,100 --> 00:02:03,250
Find BitLocker recovery password. Now here,

34
00:02:03,250 --> 00:02:06,780
unfortunately, it looks like you have to provide the first eight

35
00:02:06,780 --> 00:02:11,130
characters of the password ID. That is pretty inconvenient.

36
00:02:11,130 --> 00:02:15,740
So maybe Microsoft designed this intentionally because if someone

37
00:02:15,740 --> 00:02:19,330
were to breach a domain administrator account and maybe you were

38
00:02:19,330 --> 00:02:22,140
not set up as a disaster recovery agent,

39
00:02:22,140 --> 00:02:26,240
it would be too easy to enumerate all of the keys across the domain.

40
00:02:26,240 --> 00:02:31,750
But if we come back here, one, two, three, four, five, six, seven,

41
00:02:31,750 --> 00:02:34,730
eight, password ID, it's looking for the first. I really don't like

42
00:02:34,730 --> 00:02:36,720
this. I'm being really honest and candid.

43
00:02:36,720 --> 00:02:39,520
I don't like that tool at all. To be honest with you,

44
00:02:39,520 --> 00:02:44,810
I'm totally happy being able to look up here because I know what the machine is,

45
00:02:44,810 --> 00:02:49,230
I know what the machine name is, and we can go to... Okay,

46
00:02:49,230 --> 00:02:53,850
so it looks like actually password ID is a totally separate string from the

47
00:02:53,850 --> 00:02:56,640
recovery password, and here are the first eight characters.

48
00:02:56,640 --> 00:03:00,070
So we would need this anyway to use the viewer.

49
00:03:00,070 --> 00:03:03,440
So let me copy out those eight characters.

50
00:03:03,440 --> 00:03:03,970
And again,

51
00:03:03,970 --> 00:03:07,290
you see where I'm going? If you're able to get to the eight characters,

52
00:03:07,290 --> 00:03:10,690
why would you need to look up the recovery password in here?

53
00:03:10,690 --> 00:03:12,940
Again, I'm just thinking aloud.

54
00:03:12,940 --> 00:03:13,730
But anyway,

55
00:03:13,730 --> 00:03:22,000
you can see that by providing those eight characters we're able to resolve the server and its recovery password.