Store BitLocker Recovery Keys Using Active Directory

898

In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of the greatest features of the BitLocker Drive Encryption technology for corporate users.

A BitLocker recovery key is a unique 48-digit numerical password or 256-bit key in a file. They are generating during BitLocker installation. A domain (security) administrator can manage the BitLocker recovery keys and passwords manually. It’s pretty easy if the number of computers in the company’s network is not so high. But if there are more than 100 desktops in the network, the task becomes more complicated.

Configure Active Directory to Store BitLocker Recovery Keys

Group Policies (GPOs) allow you to configure the BitLocker agent on users’ workstations. This allows you to back up BitLocker recovery keys from local computers to the related computer objects in the Active Directory. Each BitLocker recovery object has a unique name and contains a globally unique identifier for the recovery password. Computer object in Active Directory can store several BitLocker recovery passwords. You can find out the last saved password using the Date Added parameter (this is the date the password was saved to AD).

Active Directory Requirements to Use BitLocker

BitLocker recovery data storage feature is based on the extension of the Active Directory schema. And it brings you extra Active Directory custom attributes. You should verify if your AD schema version has attributes required to store BitLocker recovery keys in Active Directory and check if you need to update AD schema . To do this, run the following cmdlet from the PowerShell Active Directory module:

Import-module ActiveDirectory

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}

There should be five following attributes:

• ms-FVE-KeyPackage;
• ms-FVE-RecoveryGuid;
• ms-FVE-RecoveryInformation;
• ms-FVE-RecoveryPassword;
• ms-FVE-VolumeGuid.

These attributes are available by default starting from Active Directory version on Windows Server 2012.

In this article, we assume that users’ workstations are running Windows 10 Pro or higher.

Let’s see how to configure Active Directory to store the BitLocker recovery information.

First, install the BitLocker management tools on your Windows Server host (or a desktop computer). On Windows Server you can install BitLocker Drive Encryption feature from the Server Manager console or using PowerShell:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

On Windows 10 and 11, you can install RSAT BitLocker Recovery Tools package using PowerShell:

Add-WindowsCapability -Online -Name Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0

Configuring GPO to Save BitLocker Recovery Keys in Active Directory

1. Create a new GPO using the Group Policy Management console (GPMC.msc). Link it to the root of the domain or OU, that contains the computers for which you want to store BitLocker Recovery Password in the Active Directory database;
2. Right-click on this GPO and select Edit;
3. Expand the GPO sections: Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption. Edit the policy Store BitLocker Recovery information in Active Directory Domain Services;
   
4. Enable this policy and configure it as follows: Require BitLocker backup to AD DS: Enable. Select BitLocker recovery information to store: Recovery passwords and key packages. You can store only the recovery password in AD, or password and recovery key together;
   
5. Depending on the drives you want to encrypt, select one of the sections that are present under BitLocker Drive Encryption:
   – Fixed Data Drives;
   – Operating System Drives;
   – Removable Data Drives.
6. For example, you want to store recovery keys for removable drives. Go to the section Removable Data Drives. Find the policy Choose how BitLocker-protected removable drives can be recovered;
   
7. Enable the policy. Configure user storage of BitLocker recovery information: Allow 48-digit recovery password and allow 256-bit recovery key. Check the following options: Allow data recovery agent, Save BitLocker recovery information to Active Directory Domain Services, and Do not enable BitLocker until recovery information is stored to AD DS for removable data drives. The last option ensures that the user cannot turn on BitLocker if the computer is not connected to the domain and the BitLocker recovery information is successfully backed up to AD DS. When the user tries to encrypt a new USB device at the time it’s not connected to a domain network, the user will receive an error message;
   
8. You can configure custom drive encryption algorithm using the GPO option Choose drive encryption method and cipher strength. You can set different encryption method you would like to use for the operating system drives, fixed data. and removable drives;
9. Update Group Policy settings on clients with the gpupdate command:

   gpupdate /force

Enable BitLocker on Windows 10/11

Turn on BitLocker on the selected drives of your computer. You can manually enable BitLocker on Windows using the GUI wizard. Open File Explorer > This PC > right-click on the removable drive and select Turn on BitLocker).

In automation scenarios, you can enable BitLocker drive encryption on Windows using the Enable-BitLocker PowerShell cmdlet.

Check that encryption is not enabled for the selected removable drive (VolumeStatus= FullyDecrypted, Protection Status =Off):

Get-BitLockerVolume

When using the Enable-BitLocker cmdlet, you need to specify:

• A drive letter to encrypt;
• Key protector — key protector to encrypt the volume master key (VMK) on the drive. You can use one of the following key protectors: Trusted Platform Module (TPM) only, TPM + PIN, TPM + Startup Key (USB drive), TPM + Startup Key + PIN, Startup Key, Recovery Key, Password, Recovery Password, or AD Account (can be used to protect the encryption key);
• Encryption Method — the default is XTS-AES-128. You can change this to AES-256 if you need;
• Used Space Only — by default, BitLocker encrypts the entire partition, including unused space. To speed up the encryption process, you can use the -UsedSpaceOnly parameter;
• Hardware Encryption — by default, BitLocker uses software encryption. If your drive supports hardware encryption (available for most popular SSD drives), you can use the -HardwareEncryption option.

For example, the following command will encrypt only used space on the target drive, skip the hardware test, and save the recovery password to the Active Directory computer account:

Enable-Bitlocker -MountPoint E: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector

To secure removable storage with a PIN, you need to use the following command to encrypt:

$SecureString = ConvertTo-SecureString "1973" -AsPlainText -Force

Enable-BitLocker -MountPoint E: -EncryptionMethod Aes256 -Pin $SecureString –TPMandPinProtector -UsedSpaceOnly

Backup BitLocker Recovery Key to Active Directory

BitLocker recovery key and password from this PC are automatically copied to the Active Directory

Tip. If you configured BitLocker encryption on some computers before enabling the centralized BitLocker Group Policy in AD, you can simply disable and enable BitLocker for the drives on that computer. Or, you can manually copy the BitLocker recovery key to the Active Directory using the manage-bde tool.

Get current BitLocker ID for the encrypted volume:

manage-bde -protectors -get e:

Now, you can send the BitLocker recovery key to the AD by specifying an ID obtained in the previous step:

manage-bde -protectors -adbackup e: -id '{DAB438E6-8B5F-4BDA-9273-C1654B49C717E}'

In case of successful execution of the command, you will see a message:

Recovery information was successfully backed up to Active Directory.

Note. To perform this action, you should log in on the workstation under a domain account, and have the local administrator permissions.

If the previous command returned the error “ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.”, you should check and enable the following GPO settings:

• Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services;
• Store BitLocker recovery information in Active Directory Domain Service (see above);
• BitLocker Drive Encryption mode (see above).

You can use the following PowerShell script to automatically get the BitLocker recovery key for the system volume and save it to Active Directory:

$BitVolume = Get-BitLockerVolume -MountPoint $env:SystemDrive

$RecoveryKey = $BitVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }

Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID

How to Enable BitLocker Remotely?

Users can manually enable BitLocker for selected computer drives from the Windows GUI, by using the Enable-BitLocker PowerShell cmdlet, or using the manage-bde.exe cli tool).

The Enable-BitLocker cmdlet doesn’t allow it to run against remote computers. But you can run it using the PowerShell remoting (through WinRM) with the Invoke-Command cmdlet.

The following PowerShell script prompts you for the name of the remote computer and the BitLocker password that will be used to encrypt the system drive:

$Password = Read-Host -Prompt "Enter BitLocker Password" -AsSecureString

$rmtComputer = Read-Host -Prompt "Enter remote computer name or IP address"

Invoke-Command -ComputerName $rmtComputer -ScriptBlock {

Enable-Bitlocker -MountPoint $env:SystemDrive -EncryptionMehod -UsedSpaceOnly -Password $using:Password -PasswordProtector -SkipHardwareTest

}

If the WinRM is not configured on the remote computer, you can use the Manage-BDE command which includes built-in remoting features. You can specify the remote computer name to perform BitLocker encryption with the -ComputerName parameter.

Use the following command to encrypt the remote device running Windows 10:

Manage-BDE -On C: -RecoveryPassword -EncryptionMethod xts_aes256 -SkipHardwareTest -ComputerName lon-wks-c211

Now you can check the BitLocker status on the remote device:

Manage-BDE -status -computername lon-wks-c211 C:

How to Find BitLocker Recovery Keys in Active Directory?

You can find available recovery keys for each computer on the new tab “BitLocker Recovery”. It is located in the computer account properties in the Active Directory Users and Computers snap-in.

If the BitLocker recovery tab is missing, enable it using PowerShell:

Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt

You can see the following info on this tab:

• Recovery Key — you can give this key to the user to decrypt Bitlocker drive in case of OS failed, or if a user forgets the Bitlocker password;
• Computer name and date when the Bitlocker recovery data was added to AD;
• Password ID — user must provide the first 4 or 8 characters from the PasswordID to you.

You can also use the special plugin to find and display BitLocker recovery keys in the AD—BitLocker Recovery Password Viewer. It is a part of the Remote Server Administration Tools (RSAT).

After installation of BitLocker Recovery Password Viewer tool, you can search recovery keys directly from the ADUC console. Select the domain root, and click the Action > Find BitLocker recovery password.

You can retrieve the BitLocker recovery key from AD for a specific computer using PowerShell. The following PoSh script can list BitLocker recovery info for the domain computer named ‘lon-wks-c211’:

$ADComputer = 'lon-wks-c211'

$DN = Get-ADComputer $ADComputer | Select-Object -ExpandProperty DistinguishedName

$ADobj = get-adobject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $DN -Properties 'msFVE-RecoveryPassword' | Select-Object Name,msFVE-RecoveryPassword

[Ordered]@{

Computer = $ADComputer

RecoveryPassword = $ADobj.'msFVE-RecoveryPassword'

Date = Get-Date -Date ($ADobj.Name ).Split('{')[0]

BitlocerKeyID = (($ADobj.Name ).Split('{')[1]).TrimEnd('}')

}

Or use the following one-liner:

Get-ADComputer 'lon-wks-c211'| Get-ADObject -properties * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated

Delegating Permissions to View BitLocker Recover Keys in AD

You can delegate the permissions to view information about BitLocker recovery keys in AD to a certain group of users. For example, security administrators.

We created a Active Directory group named BitLocker Viewers.

Right-click on the Active Directory OU that contains the computer objects with BitLocker recovery keys. Select Delegate Control.

Add the BitLocker Viewers group.

In the next step of the wizard, select Create a custom task to delegate.

Then select the option Only the following objects in the folder. Check the MSFVE-RecoveryInformation objects.

Grant the Full control permissions.

Now all users added to the “BitLocker Viewers” group can view the Recovery tab with BitLocker recovery information.