Store and Retrieve BitLocker Recovery Keys from Active Directory

Encrypting drives with BitLocker is essential for protecting Windows notebooks against theft and misuse of data. However, if users lock themselves out, the only thing that would help them is a recovery key. Admins can store this key in the Active Directory and retrieve it as needed.

It makes sense for companies to configure BitLocker centrally using group policies. It is also advisable to store recovery keys in a central location where they are protected against unauthorized access. Microsoft uses Active Directory for this purpose. The keys can be managed without tools from third-party manufacturers.

Configuring group policies ^

The first step is to create a GPO for the organizational units (OUs) and domains whose computer accounts will have recovery keys stored in the Active Directory.

The settings for BitLocker are located under Computer Configuration => Administrative Templates => Windows Components => BitLocker Drive Encryption. Here you can find the option Store BitLocker recovery information in Active Directory Domain Services. This only applies to Vista and Server 2008 machines, so it will be irrelevant for most other environments.

This setting only works for computers running Vista or Windows Server 2008

This setting only works for computers running Vista or Windows Server 2008

Newer operating systems allow a more granular configuration depending on the drive type. BitLocker distinguishes between operating system drives, hard disks, and removable media.

Different drive types can be configured for BitLocker using separate settings

Different drive types can be configured for BitLocker using separate settings

Each type has its own folder with corresponding settings in the GPO editor. One of them is called Choose how BitLocker protected <drive type> can be recovered.

Storage options for each type of drive ^

For example, if you want to save the recovery key for operating system drives in the Active Directory, activate this setting in the respective folder. Make sure that the checkbox Save BitLocker recovery information to AD DS for operating system drives is selected.

GPO setting to backup recovery keys for system drives in Active Directory

GPO setting to backup recovery keys for system drives in Active Directory

Furthermore, you can configure which data will be stored in the AD. You can choose between Backup Restore Password and Key Packages and Backup Restore Passwords Only. The key package is used to recover data on a physically damaged drive.

In addition, it makes sense to activate the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives option. This ensures that BitLocker will wait until mobile users are reconnected to AD before it encrypts the data.

Manually saving keys afterwards ^

If the group policy is enabled after the drives are already encrypted, it will have no effect and the key will have to be manually transferred to the Active Directory. The command line tool manage-bde.exe is capable of doing this. First, you determine the ID of the numeric password for drive c:

Then you pass this information to the second command:

Reading recovery keys in the Active Directory ^

In order to access the recovery key, two features must be installed on the administrator computer: BitLocker Recovery Password Viewer and BitLocker Drive Encryption Tools.

This can be done on a server using the Add Roles and Features wizard in the Server Manager. On a workstation, they are part of the RSAT.

Adding BitLocker tools as a feature via the Server Manager

Adding BitLocker tools as a feature via the Server Manager

After that, a new tab labeled BitLocker Recovery should appear in Active Directory Users and Computers when you open a computer object.

Installing the BitLocker tools gives Active Directory users and computers a tab for the recovery key

Installing the BitLocker tools gives Active Directory users and computers a tab for the recovery key

For computers with encrypted drives, the corresponding recovery key can be found here.

Delegation ^

By default, only users in the Domain Admins group can view BitLocker recovery keys. This is not sufficient if, for example, the helpdesk should also have access to the recovery keys.

To grant users this permission, create a security group in the Active Directory (e.g., BitLocker) and add the desired users to it. After that, execute the command Delegate Control from the context menu of the OU in which the computers are located and whose keys should be accessible by the new group.

Execute the command Delegate Control from the context menu of the OU

Execute the command Delegate Control from the context menu of the OU

In the following dialog, you can activate Create a custom task to delegate.

Selecting custom tasks to create for assignment

Selecting custom tasks to create for assignment

Now set the authorization for "msFVE-RecoveryInformation" objects.

Assigning authorization for msFVE recovery information objects

Assigning authorization for msFVE recovery information objects

Full access is required here.

Granting full access to msFVE recovery information objects

Granting full access to msFVE recovery information objects

This enables users in the security group to view the recovery keys.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

4+
avataravatar
Share
1 Comment
  1. Nice post, thanks.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account