BitLocker audit key recovery

[jptw]

Good morning,

wapt console: 2.3.0.13470
Enable BitLocker: 10.5.0
BitLocker audit: 10.5.0
Computer with 2 HDDs: C: (system) and D: (data) (C: system drive only is encrypted)

I'm having trouble retrieving the BitLocker key from Active Directory
The installation and encryption of the C: drive poses no problem
The audit, for its part, makes a mistake I'm summarizing what it tells me

Code: Select all

OK : C: est chiffré et la protection bitlocker est ON
IMPORTANT : je n'ai pas spécifié de "decrypt_cert_list" .... ( je ne souhaite pas forcement que la cle soit visible dans wapt )
ERROR : D: Data drive n'est pas chiffré par bitlocker
INFO: D: Data drive bitlocker encryptionmethod is :none

I have the impression that it is not attempting to send the key to AD
And why is it giving me an error because D: is not encrypted?

I must have missed something

Thank you for your help

[dcardon]

Hi Jens,

by default the package only encrypts the system disk. This is to prevent unintentionally encrypting an external drive. If you want to encrypt the D: drive, you would need to modify the package.

Regarding uploading the encrypted password to Active Directory, I think there's a Group Policy Object (GPO) or something similar that needs to be configured. There's also a "laps by wapt" package that uploads the encrypted password to WAPT.

Just so you know, with the release of WAPT 2.6 today, WAPT 2.3 is no longer supported. Could you plan an update?

Best regards,

Denis

[jptw]

Good morning,

By default, the package only encrypts the system disk

That's exactly what I want, but the audit-bitlocker package returns an error for the Data D: drive

Regarding retrieving the password from AD, I believe it's the audit-bitlocker package that should handle it (LAPS is only for local admin account passwords)

Here's a snippet of the audit-bitlocker package:

Code: Select all

for keyprotector in keyprotector_list:
                keyprotectorid = keyprotector["KeyProtectorId"]
                if keyprotector["KeyProtectorType"] in [1,2,4]:
                    # WAPT.delete_audit_data(
                    #     "enable-bitlocker", f"RecoveryPassword_{keyprotectorid}"
                    # )  # not possible from package, please delete from WAPT Console
                    # print("INFO: Skipping Backup-BitLockerKeyProtector for KeyProtectorType: Tpm")
                    continue

                try:
                    # Backuping RecoveryPassword to the AD
                    if registry_readstring(HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History', 'NetworkName', None):
                        print(f"Backuping: RecoveryPassword {keyprotectorid} to the AD")
                        run_powershell(f'Backup-BitLockerKeyProtector -MountPoint "{mountpoint}" -KeyProtectorId "{keyprotectorid}"')
                except Exception as e:
                    print(e)
                    print(f"WARNING: Failed to backup RecoveryPassword {keyprotectorid} to the AD")
                    audit_status = set_audit_status(audit_status, "WARNING")

I also added a GPO that's supposed to send the recovery key to Active Directory, but it didn't change anything
I don't have the recovery key that appears in Active Directory, nor the warning saying "Failed to back up RecoveryPassword"

THANKS

[jlepiquet]

Good morning,

The script will run through all the physical disks present in the machine.

You can modify or delete the following code:

line 207

Code: Select all

        else:
            print(f"ERROR: {mountpoint} {volumetype} drive is not encrypted with BitLocker")
            audit_status = set_audit_status(audit_status, "ERROR")

[jptw]

Good morning,

Okay, I changed the two ERROR messages to WARNING messages so that the red error message is no longer displayed (thank you)

I also added a certificate to the "decrypt_cert_list" to view the backup of the recovery key in WAPT (for testing purposes)
in the audit he told me clearly

backup: RecoveryPassword{xxxx-xxx-xxx--xxxxx} to the wapt console

However, I don't know where I'm supposed to see the recovery key.

And he still hasn't told me anything about backing up the recovery key in AD
To test, I launched the command on my computer

Backup-BitLockerKeyProtector -MountPoint "{mountpoint}" -KeyProtectorId "{keyprotectorid}

By setting the correct values, of course, and the key has indeed appeared in the machine's properties in Active Directory

If anyone has already done this and it works, I'd be interested


THANKS

[jlepiquet]

Good morning,

The script doesn't seem to fit in

Code: Select all

                    if registry_readstring(HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History', 'NetworkName', None):
                        print(f"Backuping: RecoveryPassword {keyprotectorid} to the AD")
                        run_powershell(f'Backup-BitLockerKeyProtector -MountPoint "{mountpoint}" -KeyProtectorId "{keyprotectorid}"')

Is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName completely empty on the machine?

[jptw]

Yes, this key is indeed empty

[jptw]

I just ran a test by assigning a value of "test" to the key SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History', 'NetworkName',
and the audit log correctly indicates that it saves the recovery key in Active Directory.

That's strange, isn't it?
Or perhaps I'm misinterpreting the condition:
if registry_readstring(HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History', 'NetworkName', None):

I'm not exactly a developer expert.

Furthermore, I don't see in the Wapt console where it provides the key after saving it in Wapt.

[jlepiquet]

If you replace 'NetworkName' with 'MachineDomain', does it work better?
Is the key correctly present with the domain name attached?

[jptw]

Hi

, yes, it works if I replace it with MachineDomain. The key is correctly uploaded to AD, thanks.

And for the key backup in WAPT, do you know where to find it?