Backing Up BitLocker Recovery Information to AD DS

Most of the organizations are always concerned about the security of data on their mobile users’ laptops. What happens if the laptop is lost or stolen? How can we ensure that the data inside that laptop does not fall into the wrong persons hands? The best solution is Encryption. Rather than installing third party softwares to do encryption, Microsoft has introduced BitLocker drive encryption feature built into the Operating System.


If you are looking at implementing BitLocker in a enterprise environment, one of the most important thing is to manage BitLocker recovery keys on each and every computers in your organization. Because in come cases, BitLocker can prompt type to recovery key if detects a specific behavior of partition changes or else user forget the decryption key.

BitLocker can use an enterprise’s existing Active Directory Domain Services (AD DS) infrastructure to remotely store recovery keys.

Here is the step by step procedure to store and view BitLocker recovery keys in AD DS

Step 1: Verify your schema is ready

If you are on Windows server 2008 or higher and have powershell, you can run the following command snippet.

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like “ms-FVE-*”}

After run the command you can see like following output result. If not you will need to extend your schema.
(For More Info: https://technet.microsoft.com/en-us/library/jj635854.aspx)

Step 2: Set the required permissions for view Recovery Information

Next, we need to delegate some rights on the targeted OU to specific group.

Right click on the targeted OU and select Delegate Control.

Add users/ User groups which need to view the recovery key.

Select Create a custom task to delegate.

Choose Only the following object in the folder and check MSFVE-RecoveryInformation objects.

Give Full Control on this object. And click finish to close the wizard.

Step 3: Configure group policy to back up BitLocker and TPM recovery information to Active Directory

Now that Active Directory is ready to store the BitLocker and TPM recovery information, so we need a policy that tells the computers to push BitLocker and TPM recovery info to Active Directory

There are four categories of Group Policy settings available for BitLocker Drive Encryption:

  • Global settings that affect all BitLocker-protected drives
  • Operating system drive settings
  • Fixed data drive settings
  • Removable data drive settings

Create a new Group Policy and navigate to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption.

Then navigate to Computer Configuration -> Administrative Templates -> System -> Trusted Platform Module Service.

My final Group Policy Object looks like the following.

Step 4: Install the BitLocker Password Recovery Viewer

On your domain controller, open the Server Manager -> Manage -> Add Roles and Features
Then click Next until Select Features window and check BitLocker Drive Encryption check box.

Click Add Features button to add additional features.

Finally click install to install the selected features and after installation succeeded, restart the server.

After the feature installation, open the Active Directory Users And Computers management console.
Then right click computer object ant you can see there is a new tab called “Bitlocker Recovery”

Sometime, you don’t have the computer name because the remote user doesn’t know it. You only have first 8 digit code.
We can search for 8 digit code in all computer objects:

Right click on your domain name.
Select Find Bitlocker Recovery Password.

Enter the first 8 digit and click Search. You will find the computer and the recovery key.

Advertisements
This entry was posted in SQL Server 2012 R2 and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s