A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or Windows Server 2008 R2

Summary

After you enable Federal Information Processing Standard (FIPS) compliance for BitLocker in Windows 7 or Windows Server 2008 R2, you cannot save a FIPS-compliant recovery password to Active Directory Domain Services (AD DS).

More Information

The update that is described in this article adds support to back up a FIPS-compliant recovery password to AD DS in FIPS compliance mode.

Note If you roll back to a restore point that was created before you installed this update, you will be unable to unlock the data and removable drives by using a recovery key or a FIPS-compliant recovery password if the drives are protected by a FIPS-compliant recovery password.

To require that the data and removable drives use a FIPS-compliant recovery password in FIPS mode, you must use the manage-bde command-line tool to add the FIPS-compliant recovery password manually.

Before you install this update

Before you install this update and enable a FIPS-compliant recovery password in Active Directory, you should be aware of the following considerations:
  • Recovery partition
    If you install this update on a system that has a recovery partition, you should also apply the update to the recovery partition. This enables Windows on the recovery partition to access the BitLocker drive by using the updated BitLocker algorithms. To apply this update to the recovery partition, follow these steps:
    1. Disable any active Windows Recovery Environment (RE) image that is mapped to the online image. To do this, run the following command:

      Reagentc /disable
    2. Create a folder on a nonsystem drive. (For example, create a folder on E:\Recovery.)
    3. Use the Deployment Image Servicing and Management (DISM) tool to mount a Windows image from a Windows Imaging (WIM) file. To do this, run the following command:

      Dism /Mount-Wim /WimFile:path_of_winre.wim /index:1 /MountDir:E:\Recovery

      Notes
      • To find the WIM file, run the following command:

        reagentc /info

        Note On legacy computers, you can find the WIM file in the following folder:

        C:\Windows\System32\Recovery\Winre.wim
      • The WinRE.wim file may have the SYSTEM and HIDDEN file attributes set. Use the Attrib command to remove these attributes.
      • WinRE.wim may be in a hidden directory or partition. Use the DIR /A command to find hidden folders and files. If it is necessary, use the Diskpart utility to unhide the partition.

        Dism /image:E:\Recovery /Add-Package /PackagePath:file_path_of_.msu_or_.cab_file
      • The WinRE.wim file may also be on a removable or thumb drive.
    4. Make sure that no file explorer windows are open. To do this, run the following command:

      DISM.exe /Unmount-Wim /MountDir: E:\Recovery
    5. Enable your custom Windows RE boot image. To do this, run the following command:

      Reagentc /enable

  • Removing the update
    You can remove this update either by uninstalling or by using System Restore. If you decide to do this, you should first take one of the following actions to make sure that you can access BitLocker-protected drives after the removal. If you try to remove the update before you take one of these actions, the removal will fail.
    • Remove the FIPS-compliant recovery password (system and data drive). If you applied a FIPS-compliant recovery password, you can remove the recovery password by using the manage-bde command.
    • Decrypt BitLocker drives (system and data drive). If the drives are decrypted and are no longer protected by BitLocker, Windows will still be able to access the drive if you remove the update.
    Note If you remove this update after the data and removable drives are protected by a FIPS-compliant recovery password, you will be unable to unlock the data and removable drives by using a recovery key or a FIPS-compliant recovery password. To access data or removable drives when you are in this state, you must reinstall this update.
  • Upgrading from Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP1
    • Upgrading to Windows 8.1 or Windows Server 2012 R2 or a later version of Windows is a supported scenario.
    • Upgrading to Windows 8 or Windows Server 2012 is not a supported scenario.

Installation

Operating system drive

To enable a FIPS-compliant recovery password if you have BitLocker enabled, follow these steps on the operating system drive.
  • If FIPS mode is disabled:
    1. Install this update.
    2. Turn on FIPS mode.
    3. Suspend and then resume BitLocker on the operating system drive.
  • If FIPS mode is enabled:
    1. Install this update.
    2. Add a FIPS-compliant recovery password by using the manage-bde command.
Note Data and the removable-drive FIPS-compliant recovery password are not automatically upgraded. See the following section.

Data or removable drive

To enable a FIPS-compliant recovery password if you have BitLocker enabled, follow these steps on the data or removable drive:
  • If FIPS mode is disabled:
    1. Install this update.
    2. Unlock the drive.
    3. Delete the existing FIPS-compliant recovery password.
    4. Turn on FIPS mode.
    5. Add a FIPS-compliant recovery password by using the manage-bde command.
  • If FIPS mode is enabled:
    1. Install this update.
    2. Add a FIPS-compliant recovery password by using the manage-bde command.

Hotifx information

A supported update is available from Microsoft Support.

If the update is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Service Pack 1 for Windows 7 or Windows Server 2008 R2 installed.

Restart requirement

You must restart the computer after you apply this update.

Hotfix replacement information

This update does not replace any previously released update.
File information

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.
Właściwości

Identyfikator artykułu: 2990184 — ostatni przegląd: 14.04.2015 — zmiana: 1

Opinia