- Microsoft Graph: A single (PowerShell) API for Microsoft’s cloud services - Tue, Aug 23 2022
- Exchange impersonation: Grant permissions to service accounts - Mon, Aug 8 2022
- Send Microsoft Teams meeting invitations in multiple languages - Thu, Jul 21 2022
It makes sense for companies to configure BitLocker centrally using group policies. It is also advisable to store recovery keys in a central location where they are protected against unauthorized access. Microsoft uses Active Directory for this purpose. The keys can be managed without tools from third-party manufacturers.
Configuring group policies
The first step is to create a GPO for the organizational units (OUs) and domains whose computer accounts will have recovery keys stored in the Active Directory.
The settings for BitLocker are located under Computer Configuration => Administrative Templates => Windows Components => BitLocker Drive Encryption. Here you can find the option Store BitLocker recovery information in Active Directory Domain Services. This only applies to Vista and Server 2008 machines, so it will be irrelevant for most other environments.
This setting only works for computers running Vista or Windows Server 2008
Newer operating systems allow a more granular configuration depending on the drive type. BitLocker distinguishes between operating system drives, hard disks, and removable media.
Different drive types can be configured for BitLocker using separate settings
Each type has its own folder with corresponding settings in the GPO editor. One of them is called Choose how BitLocker protected <drive type> can be recovered.
Storage options for each type of drive
For example, if you want to save the recovery key for operating system drives in the Active Directory, activate this setting in the respective folder. Make sure that the checkbox Save BitLocker recovery information to AD DS for operating system drives is selected.
GPO setting to backup recovery keys for system drives in Active Directory
Furthermore, you can configure which data will be stored in the AD. You can choose between Backup Restore Password and Key Packages and Backup Restore Passwords Only. The key package is used to recover data on a physically damaged drive.
In addition, it makes sense to activate the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives option. This ensures that BitLocker will wait until mobile users are reconnected to AD before it encrypts the data.
Manually saving keys afterwards
If the group policy is enabled after the drives are already encrypted, it will have no effect and the key will have to be manually transferred to the Active Directory. The command line tool manage-bde.exe is capable of doing this. First, you determine the ID of the numeric password for drive c:
manage-bde -protectors -get c:
Then you pass this information to the second command:
manage-bde -protectors -adbackup c: -id "{ID-of-numeric-password}"
Reading recovery keys in the Active Directory
In order to access the recovery key, two features must be installed on the administrator computer: BitLocker Recovery Password Viewer and BitLocker Drive Encryption Tools.
This can be done on a server using the Add Roles and Features wizard in the Server Manager. On a workstation, they are part of the RSAT.
Adding BitLocker tools as a feature via the Server Manager
After that, a new tab labeled BitLocker Recovery should appear in Active Directory Users and Computers when you open a computer object.
Installing the BitLocker tools gives Active Directory users and computers a tab for the recovery key
For computers with encrypted drives, the corresponding recovery key can be found here.
Delegation
By default, only users in the Domain Admins group can view BitLocker recovery keys. This is not sufficient if, for example, the helpdesk should also have access to the recovery keys.
To grant users this permission, create a security group in the Active Directory (e.g., BitLocker) and add the desired users to it. After that, execute the command Delegate Control from the context menu of the OU in which the computers are located and whose keys should be accessible by the new group.
Execute the command Delegate Control from the context menu of the OU
In the following dialog, you can activate Create a custom task to delegate.
Selecting custom tasks to create for assignment
Now set the authorization for "msFVE-RecoveryInformation" objects.
Assigning authorization for msFVE recovery information objects
Full access is required here.
Subscribe to 4sysops newsletter!
Granting full access to msFVE recovery information objects
This enables users in the security group to view the recovery keys.
Nice post, thanks.