In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the Bitlocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS).
BitLocker recovery key is a 48 and/or 256-bit sequence, which is generated during BitLocker installation. When number of the computers in company network is not very large, Administrator can monitor the keys and passwords manually. But in case when number of machines on the network is more than 100, this task becomes much more complicated.
Configure Active Directory to Store BitLocker Recovery Keys
Group policies (GPO) allows you to configure BitLocker so that backups of BitLocker keys and recovery keys are stored in computer object in the Active Directory. Each BitLocker recovery object has unique name and contains a globally unique identifier for the recovery password and optionally a package containing the key. If computer object in Active Directory stores several recovery passwords, the name of data object will contain the date of the creation of a password. Name of the BitLocker recovery object is limited to 64 characters, so the original should be allowed a 48-bit password.
Active Directory Requirements to use BitLocker
BitLocker recovery data storage feature is based on the extension of the Active Directory schema, bringing additional attributes. To verify if your version of AD schema has attributes that are required to store BitLocker recovery keys in Active Directory, execute following command:
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}
There should be 5 following attributes:
- ms-FVE-KeyPackage
- ms-FVE-RecoveryGuid
- ms-FVE-RecoveryInformation
- ms-FVE-RecoveryPassword
- ms-FVE-VolumeGuid
Starting from Windows Server 2008, this extension is available by default, it is still require additional configuration for further functioning. In schema version of Windows Server 2012 and higher, this functionality works “out of the box”. The same is applicable on the computers running following versions of Windows Server 2016.
Let us consider how to configure Active Directory to store BitLocker recovery information.
Tip. In Windows Server 2012/2008 BitLocker appears as a BitLocker Drive Encryption feature (not like the client OS). This feature can be installed from Server Manager console or using PowerShell:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools
Configuring GPO to save Bitlocker Recovery Information in Active Directory
- Using the Group Policy Management console (GPMC.msc) create a new GPO and link it to the root of the domain or OU, that contains the PCs for which the BitLocker Recovery Password should be kept in AD.
- Right click on this GPO and select Edit.
- Expand Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption and edit policy Store Bitlocker Recovery information in Active Directory Domain Services.
- Enable this policy and configure it as follows: Require BitLocker backup to AD DS: Enable, Select BitLocker recovery information to store: Recovery passwords and key packages (You can only save in AD the password or password and recovery key together).
- Depending on what drives you want to encrypt, select one of the following sections present under BitLocker Drive Encryption:
- Fixed Data Drives
- Operating System Drives
- Removable Data Drives
- For example, we want to store recovery keys for removable drives. Go to the section Removable Data Drives and find policy Choose how BitLocker-protected removable drives can be recovered
- Enable the policy and check the options Save BitLocker recovery information to Active Directory Domain Services and Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (when user tries to encrypt a new USB device at the time it’s not connected to corporate network, he will receive an error message).
- Update policy on a clients: gpupdate /force
- Turn On BitLocker on the selected drives of your PC. BitLocker recovery key and password from this PC are automatically copied to the Active Directory.
Tip. If drive encryption with BitLocker was configured on some PCs earlier, just disable and enable BitLocker, or copy the recovery key to the Active Directory manually using the manage-bde tool.
Get current BitLocker ID for the volume:
manage-bde -protectors -get e: or manage-bde -protectors -get %systemdrive% ( for the systemdrive )
Copy the information to AD by specifying ID obtained on the previous step:
manage-bde -protectors -adbackup e: -id '{DAB438E6-8B5F-4BDA-9273-C1654B49C717E}'
How to Find BitLocker Recovery Keys in Active Directory
You can find information about available recovery keys for each computer on the tab “BitLocker Recovery”, located in the property page of computer account in Active Directory Users and Computers snap in.
You can also use the tool BitLocker Recovery Password Viewer, included in Remote Server Administration Tools (RSAT) for the search of BitLocker recovery keys.
After installation of BitLocker Recovery Password Viewer feature, you can search recovery keys directly from ADUC console. To do this, go to the root of domain and select Action -> Find BitLocker recovery password.
