Microsoft PKI – Change the Issuing Server’s Certificate Validity Period

The following are assumed in this scenario:

 - The root server is a standalone (off the domain) root CA server
 - The issuing server is an enterprise (on the domain) issuing CA server

By default, the issuing CA server certificate is good for one year. This is controlled by the root CA and is set to one year by default.

This can be verified on the root CA server:

Open PowerShell as admin:
     Certutil -getreg CA\ValidityPeriodUnits
     Certutil -getreg CA\ValidityPeriod

To change the issuing server’s certificate validity period to 5 years:

On the root standalone CA:
	Open PowerShell as admin
		Certutil -setreg CA\ValidityPeriodUnits 5

If ValidityPeriod is set to years already , no need to do the next command, but just in case:

Certutil -setreg CA\ValidityPeriod "Years"

For good measure:

restart-service certsvc

Verify the settings are what you want them to be:

Certutil -getreg CA\ValidityPeriodUnits
Certutil -getreg CA\ValidityPeriod

When you renew the enterprise issuing server’s certificate, it should be good for 5 years. Verify this by looking at the certificate properties.

BitLocker – AD setup for BitLocker Recovery Key Management

Like most other posts in this blog, this is pieced together to make sense to me.

Especially in older domains, verify that the AD schema has the appropriate attributes using PowerShell window as administrator:

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {name -like 'ms-FVE-*'}

On a domain controller, install the BitLocker Feature to display the BitLocker recovery information:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

To see the BitLocker tab containing the BitLocker recovery key from an admin workstation, the RSAT “BitLocker Drive Encryption Administration Utilities” needs to be installed on the workstation.

GPO Settings

On a domain controller: Server Manger>Tools>Group Policy Management

Edit the following:

Computer Configuration>Policies>Administrative Templates>Windows Components>BitLocker Drive Encryption

"Store BitLocker recovery information in Active Directory":
Select "Enabled"
Check "Require BitLocker backup to AD DS"
Select "Recovery passwords and key packages"


NOTE – At the bottom of the GPO “Help” it states that the TPM information also needs to be backed up. This, however, no longer appears to be the case after Windows 10 version 1607.

"Choose how users can recover BitLocker-protected drives":
        Select "Enabled"

Select “Operating System Drives”

"Choose how BitLocker-protected operating system drives can be recovered":
	Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for operating system drives"
        Select "Store Recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives"
			

Select “Fixed Data Drives”

"Choose how BitLocker-protected fixed data drives can be recovered":
        Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for fixed data drives"
	Select "Backup recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives"