Store BitLocker Recovery Keys Using Active Directory

1.7K

Data security and protecting sensitive information is a top priority for organizations of all sizes. One crucial aspect of data security is ensuring that data stored on devices like laptops and desktops is encrypted and can be recovered in case of emergencies or user lockouts.

BitLocker, a disk encryption program with Windows operating systems, provides a robust solution. BitLocker offers a feature that allows administrators to store BitLocker recovery keys using Active Directory, ensuring that these critical keys are securely managed and easily accessible when needed.

In this blog post, we will explore the process of enabling BitLocker recovery key backup via Group Policy Objects (GPO) and several ways to retrieve BitLocker recovery keys.

Requirements

Active Directory Schema

BitLocker recovery data storage feature is based on the extension of the Active Directory schema. And it brings you extra Active Directory custom attributes. You must verify if your AD schema version has attributes required to store BitLocker recovery keys in Active Directory and check if you need to update the AD schema.

To do this, run the following command from the PowerShell Active Directory module:

Import-module ActiveDirectory 
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}

There should be five following attributes:

• ms-FVE-KeyPackage
• ms-FVE-RecoveryGuid
• ms-FVE-RecoveryInformation
• ms-FVE-RecoveryPassword
• ms-FVE-VolumeGuid
  

These attributes are available by default starting from Active Directory version on Windows Server 2012.

This article uses Windows Server 2022.

Windows Client

BitLocker works with Windows 10 and 11 Pro, Education, and Enterprise. This article will be using Windows 11 22H2.

Enabling BitLocker Recovery Key Backup via GPO

Users make changes to their computers, and that’s inevitable. Then they reboot their computers, and BAM! Windows is asking for the BitLocker recovery key (password).

In this situation, users will contact the helpdesk or system administrators to help recover their BitLocker recovery keys.

Administrators must enable their backup to Active Directory to ensure the BitLocker keys are recoverable.

1. Log in to the domain controller or computer with RSAT installed.
2. Open the Group Policy Management Console (GPMC) by running gpmc.msc.
3. Within the GPMC, create a new Group Policy Object (GPO) or edit an existing one that you want to use for BitLocker recovery key backup. Ensure that the GPO is linked to the organizational unit (OU) containing the computer objects to which you wish to apply BitLocker.
   In this example, I’m creating a new GPO named “BitLocker-WS-Policy” in the “Workstations” OU.
   
4. Open the GPO for editing and navigate to Computer Configuration → Policies → Administrative Templates → Windows Components → BitLocker Drive Encryption.
   
5. Double-click on “Store BitLocker Recovery information in Active Directory Domain Services.”
   
6. Set the policy to Enabled, leave the default selection, as shown below, and click OK. This step enables backing up the BitLocker recovery information in Active Directory.
   
7. Next, select one of the following folders, depending on which drive types you want BitLocker recovery keys to become retrievable.
   • Operating System Drives
   • Fixed Data Drives
   • Removable Data Drives
     In this example, I’ll choose “Operating System Drives” and open the “Choose how BitLocker-protected system drives can be recovered” policy.
     
8. Select Enabled and tick the box, “Do not enable BitLocker until recovery information is stored in AD DS for .” These settings enable the recoverability of BitLocker keys, and BitLocker will not be enabled until recovery information is stored in AD DS.
   
9. The policy will be updated on the target computers in the next cycle. But if you want to force it, run gpupdate /force on the affected computers.
   
10. Then, check if the policy is applied:

    gpresult /r

    

Turn On BitLocker Protection on Drives

Now that the policy is deployed to back up BitLocker recovery keys in AD, let’s test it by turning on BitLocker protection.

Open the File Explorer, navigate to “This PC,” right-click on the drive, and click “Turn on BitLocker.”

And go through the steps to finish enabling BitLocker encryption. Refer to Turn on device encryption for the complete steps the user can follow.

Retrieving BitLocker Recovery Keys

You can find available recovery keys for each computer on the new tab “BitLocker Recovery”. It is located in the computer account properties in the Active Directory Users and Computers snap-in.

But first, the BitLocker Management Tools must be installed on the domain controller. To do so, run the following command to install the BitLocker Management Tools.

Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt

Using the BitLocker Recovery Tab in the Computer Properties

After the installation, re-open ADUC, open the computer’s properties, and navigate to the “BitLocker Recovery” tab. You’ll see the recovery password that you can provide to the user so they can unlock their BitLocker-protected drive.

Using the “Find BitLocker recovery password” Tool

If the user can provide the first eight characters of the BitLocker password ID, you can also use the Find BitLocker recovery password tool in ADUC.

Open ADUC, click Action → Find BitLocker recovery password. Enter the first eight characters of the password ID and click Search. If the partial password ID is valid, you will see the corresponding BitLocker recovery password, as shown below.

Using PowerShell Script

Using a PowerShell script to retrieve the BitLocker recovery keys can be quick, convenient, and handy. It only requires the ActiveDirectory PowerShell module; all necessary commands are already included.

Copy the script below and save it to your computer as Get-BitLockerRecoveryPassword.ps1. This script accepts two parameters: ComputerName and KeyId. You can only use one parameter at a time.

Related post. How to Create Advanced Functions with PowerShell CmdletBinding?

# Get-BitLockerRecoveryPassword.ps1 

[CmdletBinding(DefaultParameterSetName = 'byComputerName')] 
param ( 
[Parameter(Mandatory, ParameterSetName = 'byComputerName')] 
[string] 
$ComputerName, 

[Parameter(Mandatory, ParameterSetName = 'byKeyId')] 
[string] 
$KeyID 
) 

if ($PSCmdlet.ParameterSetName -eq 'byComputerName') { 
try { 
$computerObj = Get-ADComputer $ComputerName -ErrorAction Stop 
$blObj = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $computerObj.DistinguishedName -Properties * -ErrorAction Stop 
} 
catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { 
"The AD computer [$($ComputerName)] is not found." | Out-Default 
} 
catch { 

} 
} 

if ($PSCmdlet.ParameterSetName -eq 'byKeyId') { 
if ($KeyID.Length -eq 8) { 
$keyId = "*{$keyID*" 
$blObj = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' -and CN -like $KeyID } -Properties * 
} 
else { 
"The KeyId must be exactly the first 8 characters of the Password ID." | Out-Default 
} 
} 

if ($blObj) { 
[PSCustomObject]$([ordered]@{ 
'Computer Name' = $(($blObj.DistinguishedName -split ',')[1].Replace('CN=', '')) 
'Password ID' = $(([regex]::Match($blObj.DistinguishedName, '\{(.*?)\}')).Groups[1].Value) 
'Recovery Password' = $($blObj.'msFVE-RecoveryPassword') 
}) 
}

You can also download this script from this Gist → Get BitLocker Recovery Password from AD.

After saving the script, open PowerShell and change the working directory to the script location.

cd <path to script>

Run the command below to get the BitLocker recovery key by computer name.

.\Get-BitLockerRecoveryPassword.ps1 -ComputerName <COMPUTER NAME>

You’ll see the following result if the computer exists and has a BitLocker recovery password.

If the computer does not exist, you’ll get this error:

There will be no output if the computer exists but has no BitLocker recovery keys.

Run the command below to get the BitLocker recovery key by looking up the first eight characters of the Password ID.

.\get-BitLockerRecoveryPassword.ps1 -KeyID 12345678

If the password ID matches, you’ll get the following result.

You’ll get the following error if the Key ID you provided is not eight characters.

If the password ID is not found, there will be no result.

Delegating Permissions to View BitLocker Recover Keys in AD

Administrators have better things to do than retrieving BitLocker recovery passwords. This is why the task can be delegated to a group whose primary role is to support end users, such as the Help Desk.

You can delegate the permissions to view information about BitLocker recovery keys in AD, and here’s how.

1. Create a group (or select an existing group) that will be delegated to view BitLocker recovery keys. In this example, I created a security group called “BitLocker Password Viewers.”
   
2. Add members to this group as needed.
   
3. Right-click on the Active Directory OU that contains the computer objects with BitLocker recovery keys and click Delegate Control.
   
4. Add the delegate group to the list and click Next.
   
5. Select the “Create a custom task to delegate” option and click Next.
   
6. Select the “Only the following objects in the folder” option, tick the “msFVE-RecoveryInformation objects” box, and click Next.
   
7. Select the “Read” permissions, as shown below, and click Next.
   
8. Review the delegation summary and click Finish.
   
9. All users added to the “BitLocker Password Viewers” group can view the Recovery tab with BitLocker recovery information.
   

Conclusion

Safeguarding sensitive data is a paramount concern. Integrated with Windows, BitLocker offers a robust solution for encrypting and protecting data on devices like laptops and desktops. It securely manages and readily provides BitLocker recovery keys via Active Directory.

This blog post covers enabling BitLocker recovery key backup via Group Policy Objects (GPO) and retrieving keys. Prerequisites include an updated Active Directory schema and compatible Windows clients. Follow the steps for GPO configuration to ensure recoverability and secure storage in Active Directory.

We also explore three key retrieval methods: the BitLocker Recovery tab in Active Directory Users and Computers, the “Find BitLocker recovery password” tool, and a PowerShell script. These options offer flexibility for different scenarios.

Lastly, we discuss delegating permissions to specific groups, like a Help Desk team, to view BitLocker recovery keys in Active Directory efficiently. BitLocker simplifies data security and management, enhancing organizations’ data protection strategies.