- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
Microsoft refers to the key that BitLocker uses to encrypt the sectors of a drive as the full volume encryption key (FVEK). Anyone possessing this key can decrypt the data on the drive. Hence, it is crucial to protect the FVEK from unauthorized access.
BitLocker, in turn, encrypts the FVEK with the volume master key (VMK) and stores both on the encrypted drive in an area of the volume header that remains unencrypted. Otherwise, BitLocker would lock itself out.
Protectors safeguard the volume master key
To access the FVEK, you need the VMK. Therefore, it is also essential to protect the VMK from unauthorized access. BitLocker uses the following protectors for this task:
- TPM
- TPM with PIN
- TPM with startup key
- TPM with PIN and startup key
- Password
- Recovery password
- External recovery key
- Recovery agent or Network Unlock certificate
- User or group from Active Directory
Each protector receives a copy of the VMK, which it encrypts using its own means.
TPM, PIN, and startup key
The combination of TPM, PIN, and/or startup key is exclusive to the operating system drive. By default, BitLocker uses only TPM, allowing the computer to be unlocked without user intervention.
Key protectors based on the Trusted Platform Modules TPM
The TPM encrypts the VMK with its public key and decrypts it during the computer's startup using its private key. Additionally, it assesses the system's integrity by examining the parameters stored in the Platform Configuration Register (PCR). The TPM releases the VMK only if the computer passes this verification.
When combining TPM authentication with a PIN or a startup key, the VMK must also be successfully decrypted by these mechanisms before it becomes accessible.
Recovery key
If unlocking a drive using the configured protector fails, for instance, due to hardware changes or the user forgetting the PIN, then an alternative option is needed to access the VMK.
For this reason, when BitLocker is activated, it generates a 48-digit numerical recovery password by default. In theory, it could be used as the only protector, requiring manual input every time the computer boots. However, this approach is not practical.
Unless otherwise specified by group policy BitLocker creates a recovery password when it is activated
If the recovery key falls into the hands of an attacker, he can use it to unlock the drive in recovery mode. Therefore, securely storing the key and using it only in case of emergency is essential. If the computer is a member of a domain, Active Directory can be used as storage for the recovery key.
Passwords
While the combination of TPM and PIN offers the best balance of security and user convenience, the opposite is true for passwords. It provides the weakest protection and its use is inconvenient if the password requires a high level of complexity. Password complexity can be enforced using group policies.
The complexity of passwords can be enforced through Group Policy
BitLocker allows an unlimited number of password entry attempts, which does open up the possibility of brute-force attacks. That's why using a password as the sole protector for system drives without additional TPM configuration is not allowed by default.
External key
BitLocker supports two types of keys stored on USB drives: the startup key and the recovery key. The former can be used in combination with a TPM or on older PCs without a TPM. The recovery key, on the other hand, is used for emergencies.
Options for unlocking an encrypted drive a clear key is present when BitLocker is temporarily paused
Options for unlocking an encrypted drive; a clear key is present when BitLocker is temporarily paused
Technically, there seems to be no significant difference between the two options, as the help text of manage-bde describes SaveExternalKey, the common parameter for both types, as follows:
These external key files can be used as either a startup key or a recovery key.
Auto unlock and SID protector
Both mechanisms simplify access to data drives by eliminating the need for users to enter passwords. However, they are subject to certain conditions.
Auto unlock requires the system drive to be protected with BitLocker. Windows stores the key used to encrypt the VMK of the data drive in the registry. Therefore, an unprotected system drive would be a poor storage location for this key.
Enable auto unlock for data and removable drives via BitLocker management
The ADAccountOrGroup (also called SID) protector automatically unlocks a data drive when the configured groups or users from Active Directory are logged in. Any other user logging into the computer will not have automatic access to the specified drive.
Recovery agent
Recovery agents are suitable only for data drives, not for system drives. They can only unlock system drives when the computer is booted from another disk, and system disks are accessed like data drives.
The certificate for recovery agents must be stored in the local store of each computer on which you want to unlock a drive. Therefore, this technique is suitable, for example, when the helpdesk receives encrypted USB sticks from employees who have forgotten their respective passwords.
Network Unlock
Authentication with TPM and PIN requires physical access to the computer during startup or when it wakes from hibernation. This can be an obstacle for remote management, where PCs boot up via Wake-on-LAN. For this case, Microsoft offers BitLocker Network Unlock.
Adding the protector is just one part of the configuration. Additionally, it requires a specific certificate, Windows Deployment Services, and a DHCP server.
Managing protectors
Microsoft recommends using a combination of Group Policy, PowerShell, and manage-bde to manage key protectors. For all three types of drives, there is a Group Policy setting called Choose how BitLocker-protected <drive type> can be recovered.
With this setting, you can allow, enforce, or deny the use of recovery agents, recovery passwords, and external recovery keys.
Group Policy settings to specify the allowed protectors for recovery
For operating system drives, there are additional settings, such as Allow network unlock at startup and Require additional authentication at startup.
The former refers to Network Unlock, while the latter deals with protectors that BitLocker does not support for data and removable drives. This includes combinations of TPM, PIN, and startup keys.
Settings for TPM based authentication
The settings configured in Group Policy determine the behavior of the BitLocker activation wizard found in the Control Panel. Depending on the configured policies, the wizard may no longer offer blocked protectors or, conversely, may require setting a PIN or password if necessary.
Group Policy also prevents the creation of unauthorized protectors when users attempt to run PowerShell or manage-bde. However, not all protectors can be blocked using Group Policy, which means that certain protectors like Auto Unlock or SID-Protectors cannot be prevented.
Adding a protector
The BitLocker PowerShell module includes a cmdlet to add a protector:
Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector
In this example, it generates a new recovery password. The cmdlet also provides a separate parameter for each type of protector.
Add a protector for TPM and PIN using PowerShell
The manage-bde.exe utility requires the following command for this task:
manage-bde.exe -protectors -add c: -RecoveryPassword
To view configured protectors with PowerShell, proceed as follows:
Get-BitLockerVolume -MountPoint "c:" | select -ExpandProperty KeyProtector
To check the BitLocker status and view the configured protectors using manage-bde.exe, use the following:
manage-bde -status c:
The status displayed by manage bde also contains an overview of the configured Key Protectors
The status displayed by manage-bde also contains an overview of the configured Key Protectors
To remove a protector from a drive using PowerShell, enter this command:
Remove-BitLockerKeyProtector -MountPoint "c:" `
-KeyProtectorId "{6A2DEFC2-2348-4A5B-9337-F3E2B33B5943}"
The ID of the protector can be found in the output of Get-BitLockerVolume or manage-bde, as shown in the examples above.
To remove a protector using manage-bde.exe, execute this command:
manage-bde -protectors -delete C: -id {6A2DEFC2-2348-4A5B-9337-F3E2B33B5943}
Alternatively, to remove all protectors of a specific type, use the following:
manage-bde -protectors -delete c: -Type RecoveryPassword
Summary
Key protectors are a central concept of BitLocker, and admins are regularly confronted with them when users are unable to unlock their computers. However, you shouldn't care about these protection mechanisms only when problems occur.
Instead, as part of a good BitLocker deployment plan, it is essential to think in advance about how to protect the VMK. For operating system drives, the decision often leans toward TPM combined with a PIN.
Subscribe to 4sysops newsletter!
For data drives and removable devices, there are several options, and the choice depends on the specific environment's requirements. Some of these options can be enforced through Group Policy, and their management is typically done through PowerShell or manage-bde.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
