We use Bitlocker Active Directory Key Protector to protect and auto unlock USB drives but are seeing random failures to unlock.
We have two AD Groups that we use
- DOMAIN\BitlockerAdmin (contains system administrators)
- DOMAIN\BitlockerPerComputer (contains the user that uses the laptop)
The users are all members of a domain group “DOMAIN\BitlockerPerComputer” and we run the command:
Enable-BitLocker -MountPoint F: -EncryptionMethod XtsAes256 -UsedSpaceOnly -AdAccountOrGroup "Domain\BitlockerAdmin" –AdAccountOrGroupProtector
Add-BitLockerKeyProtector -MountPoint $BACKUPVOL -AdAccountOrGroup "DOMAIN\BitlockerPerComputer" –AdAccountOrGroupProtector
What we expect to happen (which works only sometimes)
- User logs in, and the drive unlocks or the Sysadmin logs in, and the drive unlock.
- If we remove the user from the AD group, the drive will always remain locked and the user will not be able to unlock it.
What we are seeing.
- Sometimes we notice the user logs in, and the drive does not unlock. We can wait for days and do numerous reboots but no change in behaviour.
- Anyone in the BitlockerAdmin group that logs in always unlocks fine
- If we add the user to BitlockerAdmin group, log off and on the drive sometimes will unlock i.e. it works better but sometimes it will not.
- Even after removing the user from the AD group they are still able to unlock the drive
We have also tried to use the Manage-bde commands rather than powershell but get the same results
Changing the order of the groups that I add in first make no difference either.
We’ve tried to research exactly how the AD protector works in order to diagnose the issue but there is very little information out there.
Any pointers to help diagnose the issue gratefully received
0 Answers