on windows 2008 r2 and windows 2012 r2 VMs, drives other than c: are classified as removable data drives (bitlocker to go). the options for unlocking a removable data drive include: manual password unlock, smart card unlock, and auto-unlock. the smart card unlock in my case is irreverent. i tried the password unlock…which works, but share settings seem to be completely removed each time the drive is locked/unlocked with this method. i then tried the auto-unlock which maintains the share settings but still requires that a user logs into the system to unlock the drive. the user may logout after the initial drive unlocking.

getting bitlocker info:
manage-bde -status e: = display status of bitlocker encryption on specified drive
manage-bde -protectors -get e: = display IDs
manage-bde -protectors -adbackup e: -id <numerical password ID> = stores recovery data in AD
source: http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx

further info here: http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

once the recovery data is stored in AD, the recovery password will be visible from the “bitlocker recovery” tab on the particular computer account object that has bitlocker and the appropriate group policies enabled. also in ADUC, you can use “find bitlocker recovery password” by right-clicking the root of the domain. you can then search for a recovery password if you know the first 8 characters of the numerical password ID.

recovery testing…a bitlocker enabled drive can be attached to another windows system that has bitlocker capabilities. the drive will appear as locked. simply knowing the password to unlock the drive is sufficient. if the password is forgotten then the recovery password will have to be entered.

Comments are closed.