1

We use Bitlocker Active Directory Key Protector to protect and auto unlock USB drives but are seeing random failures to unlock.

We have two AD Groups that we use

  • DOMAIN\BitlockerAdmin (contains system administrators)
  • DOMAIN\BitlockerPerComputer (contains the user that uses the laptop)

The users are all members of a domain group “DOMAIN\BitlockerPerComputer” and we run the command:

Enable-BitLocker -MountPoint F: -EncryptionMethod XtsAes256 -UsedSpaceOnly -AdAccountOrGroup "Domain\BitlockerAdmin" –AdAccountOrGroupProtector 
Add-BitLockerKeyProtector -MountPoint $BACKUPVOL -AdAccountOrGroup "DOMAIN\BitlockerPerComputer" –AdAccountOrGroupProtector

What we expect to happen (which works only sometimes)

  • User logs in, and the drive unlocks or the Sysadmin logs in, and the drive unlock.
  • If we remove the user from the AD group, the drive will always remain locked and the user will not be able to unlock it.

What we are seeing.

  • Sometimes we notice the user logs in, and the drive does not unlock. We can wait for days and do numerous reboots but no change in behaviour.
  • Anyone in the BitlockerAdmin group that logs in always unlocks fine
  • If we add the user to BitlockerAdmin group, log off and on the drive sometimes will unlock i.e. it works better but sometimes it will not.
  • Even after removing the user from the AD group they are still able to unlock the drive

We have also tried to use the Manage-bde commands rather than powershell but get the same results

Changing the order of the groups that I add in first make no difference either.

We’ve tried to research exactly how the AD protector works in order to diagnose the issue but there is very little information out there.

Any pointers to help diagnose the issue gratefully received

Phil
  • 3,168
  • 1
  • 22
  • 29
  • This sounds more like membership token issue than bitlocker. From cmd prompt perform a 'whoami /groups' and verify the group membership is correct for the unexpected users. Also try disabling cached credentials while you troubleshoot. – spacenomyous Nov 06 '17 at 14:03
  • Thanks spacenomyous, will look into your suggestions. As an aside, can you point me to any resources that give details of how the VMK is encrypted when using the AD Key protector - is a KDF used or similar? – Phil Nov 06 '17 at 14:16
  • The VMK is encrypted using a key protector (see 'BitLocker Keys' https://technet.microsoft.com/en-us/library/2007.06.bitlocker.aspx). The way I understand it, the AD Key Protector uses AD authentication of the logged on user to check membership of the defined SID. If yes, it unlocks the drive. (see 'Using a SID based protector in Windows PowerShell' https://technet.microsoft.com/en-us/library/dn383581(v=ws.11).aspx#Using manage-bde to encrypt volumes with BitLocker) – spacenomyous Nov 06 '17 at 15:16
  • Yes, I've read that but I dont know HOW it decrypts the VMK as there doesnt appear to be any additonal data attached to the AD object – Phil Nov 06 '17 at 15:47
  • It's just another key protector. If you have access to the SID, just like if you have access to the TPM, PIN, or USB key - it unlocks the drive. – spacenomyous Nov 06 '17 at 16:03
  • My understanding (which may be wrong!!) is that in the case of TPM, PIN, USB etc. those actually store some information used to unlock the VMK e.g. the USB drive has the key in a file, the PIN uses a KDF, the TPM stores a key etc. In the case of the SID, where is the unlock information and how is it protected? – Phil Nov 07 '17 at 11:06

0 Answers0