What's the best way to troubleshoot what changes are forcing Bitlocker into password mode?
We've deployed 10 notebooks with Bitlocker enabled. We are saving information in our Win 2008 R2 Active Directory domain. Recently, several of the notebooks have booted into the Bitlocker password mode. I've asked the users if they made changes to the
BIOS or ran any system updates. Nothing 'appears' to have changed but something had to. What's the best way to figure out what's made the changes short of digging into the regular System or Application logs? Are there any Bitlocker-specific logs that we can
enable to see what's forcing this to appear?Orange County District Attorney
August 17th, 2010 6:29pm
May be policy is changed. Check the policy.
Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup
Some process can change the policy by configuring Registry values.
HKLM\SOFTWARE\Policies\Microsoft\FVE
UseTPMPIN
HKLM\SOFTWARE\Policies\Microsoft\FVE!UseTPMKeyPIN, HKLM\SOFTWARE\Policies\Microsoft\FVE
UseTPM
You can enable object auditing and try to find clues.
1. Click Start, enter GPedit.msc in the Start Search box.
2. Open the following branch.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Security
3. Enable the following policies:
Audit account logon events
Audit object access
4. Open regedit.
5. Right click on the Registry branch you would like to audit, choose Security. Click the Advanced button.
6. Click the Auditing tab. Click Continue.
7. Click Add. Then click Advanced.
8. Click the button Find Now.
9. Wait for the process finishes. Then from the users list add the following users.
ANONYMOUS LOGON
BATCH
CREATOR OWNER
Everyone
Guests
LOCAL SERVICE
NETWORK
NETWORK SERVICE
SERVICE
SYSTEM
10. After selecting each user, choose “Delete” and “Delete subfolders and files” as the auditing entries.
If you would like to check which account was trying to remove items in the folder, please open Event Viewer, check the Windows Logs\Security Log for detail information.
Hope it helps.
Arthur Xie
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 11:51am
Thanks for the great post Arthur. We don't enforce the "Require additional authentication at startup" policy in our envirnonment. We store recovery information in AD, that's about all we enforce. We don't require users to enter PIN numbers or passwords at
login.
I did notice something about our Bitlocker policy however. I have it enabled for
Fixed Data Drives Operating System Drives Removeable Data Drives
Now, we've only encrypted the hard drive, C: on our notebooks but I wonder how the Fixed Data Drive and Removeable Data Drive policy affect things?Orange County District Attorney
August 18th, 2010 5:28pm
Do you mean recovery passwords are saved to AD? If so, please let us know if Windows XP clients have to enter password.
I just suspect that the password is for authentication, but not for BitLocker. Is the system of the AD Windows Server 2003? How does it work if you change the default NTLM authentication level in Windows 7 clients?
1. Open gpedit.msc from Start Search box. Then locate to the following policy.
2. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level
3. Please change “Send LM & NTLM - use NTLMv2 session security if negotiated”.
If the issue still occurs, i suggest you temporary disable firewall and check the result.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2010 5:53am
We don't have user enter a password at boot time. We enable Bitlocker and then save the passwords to AD, Windows 2008 R2 AD. I was hoping something could get written to the Bitlocker logs to help understand what it's seeing as a change.Orange County District Attorney
August 23rd, 2010 5:23pm
Related events are stored in client computers. However they may be not helpful in troubleshooting.
There are more information in the following articles. You may check if the processes are exactly followed when you setup Bitlocker.
BitLocker Drive Encryption Configuration Guide Backing Up BitLocker and TPM Recovery Information to Active Directory
Backing Up BitLocker and TPM Recovery Information to AD DS
How does it work if firewalls are disabled?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2010 12:41pm
Thanks for the links and the info. We disable the firewalls on our domain network by default. (I know, I know). I was hoping something would be logged somewhere when a change was made........Orange County District Attorney
August 26th, 2010 1:59am
In Event Viewer. Bitlocker related logs are saved in:
WindowsLogs>ApplicationsAndServicesLogs>Microsoft>Windows>Bitlocker-DriverPreparationTool
The events that are related to whether the recover password is saved into AD successfully are saved in client, you may try to find it in System log or Security log.
You may check the logs. Hope it helps.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 10:01am
Are there any logs that one could check out that would show what could have changed, in the system, that would have prompted a user to enter the recovery password?Orange County District Attorney
August 27th, 2010 5:03pm
Hi,
No such logs exist.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2010 12:03pm
Thanks, that's what I was looking for.Orange County District Attorney
August 31st, 2010 5:11pm