MS15-122 Security Update for Kerberos to Address Security Feature Bypass (Bitlocker)

This security update resolves a security feature bypass in Microsoft Windows. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer.

This security update is rated Important for all supported editions of Windows. For more information, see the Affected Software section.

The update addresses the bypass by adding an additional authentication check that will run prior to a password change. For more information about the vulnerability, see theVulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3105256.

Access Denied Error 0x80070005 message when initializing TPM for Bitlocker

When you try to turn on Bitlocker on Windows 7 Operating System Drive, you may get the Access Denied Error message while initializing TPM.

image

Additionally, when you open the TPM Management Console and you try to initialize TPM you get error message 0x80070005.

image

Solution:

To set correct permissions, follow the instruction below:

1. Open Active Directory Users and Computers.

2. Select the OU where you have all computers which will have Bitlocker turned ON.

3. Right Click on the OU and click Delegate Control.

image

4. Click Next and then click Add.

image

image

5. Type SELF as the Object Name.

image

6. Select create a custom task to delegate.

image

7. From the object in the folder, select Computer Objects.

image

8. Under show these permissions, select all 3 checkbox.

image

9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.

image

10. Click Finish.
image

After you have done the above steps, you should be able to initialize TPM successfully.

It worked for me!!!

SOURCE

BitLocker Active Directory Recovery Password Viewer on Windows Server 2008 R2

You can find BitLocker Password Recovery tool on Windows Server 2008 R2 under Features. You can install the tool by opening Server Manager and under »Add Features« look for »Remote Server Administration Tools« »Feature Administration Tools«. Here select »BitLocker Diver Encryption Administration Utilities« and follow the wizard.

Once install process completes you can open Active Directory Users and Computers and right click on domain level. You should now see »Find BitLocker Recovery Password…«

Recovering USB Stick that is encrypted with Bitlocker

1
WWWOooeeeps I forgot my password for my USB stick .

What we do next: I forgot my Password
 2 3

Click on More Information: Hey I found a recovery key
4
Then you go to Active Directory Users And Computers
image image

Next Enter the the recovery key
5 

YES: My data is readably
 6

Last Step: Changing your password 
 7

BitLocker to Go & Save the Recovery key in Active Directory

Before you start wit Bitlocker to Go your domain controllers must be 2008 R2. You must upgrade your Schema.

After done that I made a group policy named Bitlocker to Go.
You can find the Bitlocker Policy under: Computer Configuration | Policies | Administrative Templates: Policy Definitions | Windows Components | BitLocker Drive Encryption | Removable Data Drives.

I enabled the following policies:

Choose How BitLocker Removable Drives Can Be Recovered

image

At first you must select the Allow Data Recovery Agent option. This option should be selected by default, but since this option is what makes the entire key recovery process possible, it is important to verify that the option is enabled.

Next, you will enable the Omit Recovery Option From The BitLocker Setup Wizard option. This prevents users from saving or printing their own copies of the recovery key.

Next, you will have to select the Save BitLocker Recovery Information to AD DS for Removable Data Drives. This is the option that actually saves the BitLocker recovery keys to the Active Directory.

Finally, you should select the Do Not Enable BitLocker Until Recovery Information Is Stored To AD DS For Removable Data Drives option. This option forces Windows to confirm that the recovery has been written to the Active Directory before BitLocker is allowed to encrypt the drive. That way, you do not have to worry about a power failure wiping out the recovery key half way through the encryption process.

Windows XP SP2 & SP3 can only read the bitlocker usb stick.