Information Technology Reference
In-Depth Information
You can automate the EFS certificate export with the following script:
$Cert=(Get-childitem -path cert:\CurrentUser\My | where {$_.Subject -match "OU=EFS" } )
Write-host "Enter the password for the .pfx file: " -nonewline
$pfxPW = read-host -assecurestring
Export-PfxCertificate -Cert $cert -password $pfxPW -filepath C:\MyEFScert.pfx
This script prompts the user for a password and then saves the EFS certificate for the
current user in the file C:\MyEFScert.pfx, with the password typed in at the prompt.
Thought experiment
Configuring Network Unlock for BitLocker
In this thought experiment, apply what you've learned about this objective. You can
find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. Company policy mandates
that all computers have multifactor encryption on boot devices and data drives. You
have to configure the network to enable automatic unlock of boot drives for clients
and servers that are hard-wired to the corporate network.
1.
What are the minimum hardware requirements to support Network Unlock?
2.
What server roles are needed to support Network Unlock?
3.
What Group Policy settings need to be configured to support Network Unlock
and require BitLocker encryption?
■
Configure BitLocker policies to allow backup to Active Directory.
■
Use Windows PowerShell to back up the BitLocker Recovery Password to Active
Directory.
■
Back up BitLocker recovery passwords to USB, files, and hard copy.
■
Back up EFS certificates with Export-PfxCertificate.
■
Enable the Network Unlock protector to allow automatic boot even with a TPM+PIN
configuration.
■
Create a BitLocker Network Unlock certificate and use Group Policy to distribute the
public key. Use WDS to distribute the private key to allow Network Unlock.
■
BitLocker Network Unlock certificates can be created with AD CS or by creating a self-
signed certificate with certreq.exe.
