bitlocker

Store BitLocker Recovery Keys using Active Directory


In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of the coolest features of the BitLocker Drive Encryption technology for corporate users.

BitLocker recovery key is a 48 and/or 256-bit sequence, which is generated during BitLocker installation. A domain (security) administrator can monitor the BitLocker recovery keys and passwords manually if the number of the computers in the company network is not very large. But if there are more than 100 user’s desktops in the corporate network, this task becomes much more complicated.

Configure Active Directory to Store BitLocker Recovery Keys

Group Policies (GPOs) allow you to configure BitLocker agent on user workstations to back up BitLocker recovery keys from local computers to the related computer objects in the Active Directory. Each BitLocker recovery object has a unique name and contains a globally unique identifier for the recovery password and optionally a package containing the key. If the computer object in Active Directory stores several recovery passwords, the name of data object will contain the password creation date. Name of the BitLocker recovery object is limited to 64 characters, so the original should be allowed a 48-bit password.

Active Directory Requirements to Use BitLocker

BitLocker recovery data storage feature is based on the extension of the Active Directory schema, and bringing additional attributes. To verify if your AD schema version has attributes that are required to store BitLocker recovery keys in Active Directory, run the following cmdlet from the AD for Windows PowerShell module:

Import-module ActiveDirectory
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}

There should be 5 following attributes:

  • ms-FVE-KeyPackage
  • ms-FVE-RecoveryGuid
  • ms-FVE-RecoveryInformation
  • ms-FVE-RecoveryPassword
  • ms-FVE-VolumeGuid

bitlocker active directory

Starting from Windows Server 2008, these attributes are available by default, but it still requires an additional configuration for further functioning. In schema version of Windows Server 2012 and newer, this feature works “out of the box”. The same is applicable on the computers running newest Windows Server 2019 build.

Let’s see how to configure Active Directory to store BitLocker recovery information.

Tip. In Windows Server 2012/2008 R2 BitLocker client is called BitLocker Drive Encryption feature (differ from the Windows desktop OSs). This feature can be installed from Server Manager console or using PowerShell:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

bitlocker recovery key active directory

Configuring GPO to save Bitlocker Recovery Information in Active Directory

  1. Using the Group Policy Management console (GPMC.msc) create a new GPO and link it to the root of the domain or OU, that contains the computers for which you want to store BitLocker Recovery Password in the Active Directory database;
  2. Right click on this GPO and select Edit;
  3. Expand the GPO sections: Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption and edit the policy Store BitLocker Recovery information in Active Directory Domain Services;
    bitlocker key active directory
  4. Enable this policy and configure it as follows: Require BitLocker backup to AD DS: Enable, Select BitLocker recovery information to store: Recovery passwords and key packages (you can store the password in AD or password and recovery key together).
    store bitlocker key in ad
  5. Depending on what drives you want to encrypt, select one of the following sections that are present under BitLocker Drive Encryption:
    Fixed Data Drives;
    Operating System Drives;
    Removable Data Drives.
  6. For example, if you want to store recovery keys for removable drives. Go to the section Removable Data Drives and find the policy Choose how BitLocker-protected removable drives can be recovered;
    active directory bitlocker
  7. Enable the policy and check the options Save BitLocker recovery information to Active Directory Domain Services and Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (when user tries to encrypt a new USB device at the time it’s not connected to a domain network, the user will receive an error message).
    bitlocker recovery key ad
  8. Update Group Policy settings on clients with the command:
    gpupdate /force
  9. Turn on BitLocker on the selected drives of your PC. BitLocker recovery key and password from this PC are automatically copied to the Active Directory.

Tip. If the BitLocker encrypted drive was configured on some computers earlier, just disable and enable the BitLocker feature for this drive, or copy the recovery key to the Active Directory manually using the manage-bde tool.

Get current BitLocker ID for the encrypted volume:

manage-bde -protectors -get e:

You can send the BitLocker recovery key to the AD by specifying an ID obtained in the previous step:

manage-bde -protectors -adbackup e: -id '{DAB438E6-8B5F-4BDA-9273-C1654B49C717E}'

In case of successful execution of the command, you will see a message:

Recovery information was successfully backed up to Active Directory.

Note. To perform this action you should logon on the workstation under domain account and have the local administrator permissions.

bitlocker key in ad

If the previous command returned the error “ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.”, you should check and enable the following GPO settings:

  • Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services;
  • Store BitLocker recovery information in Active Directory Domain Service (see above);
  • BitLocker Drive Encryption mode (see above).

How to Find BitLocker Recovery Keys in Active Directory?

You can find available recovery keys for each computer on the new tab “BitLocker Recovery”, located in the computer account properties in the Active Directory Users and Computers snap-in.

If the BitLocker recovery tab is missing, enable it using PowerShell:

Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt

bitlocker keys in ad

You can see the following info on this tab:

  • Recovery Key—you can give this key to the user to decrypt Bitlocker drive in the cases of OS failed or if a user forgets the Bitlocker password;
  • Computer name and date of adding Bitlocker recovery data to AD;
  • Password ID—user must provide the first 4 or 8 characters from the PasswordID to you.

You can also use the special plugin—BitLocker Recovery Password Viewer (it is a part of Remote Server Administration Tools (RSAT)) to find and display BitLocker recovery keys in the AD.

bitlocker in ad

After installation of BitLocker Recovery Password Viewer tool, you can search recovery keys directly from the ADUC console. Select the domain root and click the Action > Find BitLocker recovery password.

active directory bitlocker recovery key

You can retrieve BitLocker recovery key from AD for a specific computer using PowerShell. The following PoSh script can list BitLocker recovery info for the domain computer named ‘lon-wks-c211’:

$ADComputer = 'lon-wks-c211'

$DN = Get-ADComputer $ADComputer | Select-Object -ExpandProperty DistinguishedName

$ADobj = get-adobject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $DN -Properties 'msFVE-RecoveryPassword' | Select-Object Name,msFVE-RecoveryPassword

[Ordered]@{

Computer = $ADComputer

RecoveryPassword = $ADobj.'msFVE-RecoveryPassword'

Date = Get-Date -Date ($ADobj.Name ).Split('{')[0]

BitlocerKeyID = (($ADobj.Name ).Split('{')[1]).TrimEnd('}')

}

Or use the following one-liner:

Get-ADComputer 'lon-wks-c211'| Get-ADObject -properties * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated

Delegating Permissions to View BitLocker Recover Keys in AD

You can delegate the permissions to view information about BitLocker recovery keys in AD to a certain group of users (for example, security administrators).

I created a new security group in AD-BitLocker Viewers.

bitlocker ad integration

Right-click on the OU that contains the computer objects with BitLocker recovery keys and select Delegate Control.

bitlocker key in active directory

Add the BitLocker Viewers group.

bitlocker ad

In the next step of the wizard, select Create a custom task to delegate.

Then select the option Only the following objects in the folder and check the MSFVE-RecoveryInformation objects.

active directory bitlocker key

Grant the Full control permissions.

ad bitlocker recovery

Now all users added to the BitLocker Viewers group can view Recovery tab with BitLocker recovery information.

You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Using PsExec to Run Commands Remotely The PsExec is an easy Windows utility to replace the telnet tool. It allows you to run programs and processes on remote systems, using all the feature...
How to Migrate User Profiles with User State Migra... One of the most popular tools to migrate user profiles from one Windows computer to another is the set of CLI utilities – User State Migration Tool (U...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Comments
  1. Posted by Rich
  2. Posted by Dave
  3. Posted by matt
    • Posted by Brian Bergquist

Add Your Comment