This site requires JavaScript to be enabled
Knowledge Base: Public
Category: Information Security / Other
27442 views

Question

How do I implement BitLocker in my department OU?

Answer

If you choose to implement BitLocker via Group Policy in your OU, we recommend the following method:

  1. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
  2. Select Choose how BitLocker-protected operating system drives can be recovered and edit the policy
  3. Enable the policy and ensure the following options are checked:
    • Allow data recovery agent
    • Allow 48-digit recovery password
    • Allow 256-bit recovery key
    • Omit recovery options from the BitLocker setup wizard
    • Save BitLocker recovery information to AD DS for operating system drives
    • Store recovery passwords and key packages
    • Do not enable BitLocker until recovery information is stored to AD DS for operating system drives

Once the policy is enabled your machine will need to turn BitLocker on through the Control Panel. You will want to take ownership of the Trusted Platform Module (TPM), which it will ask you to do in the enabling process. If the machine already has BitLocker enabled, you have two options.

  1. you will need to decrypt the operating system drive, turn off TPM, and walk through the above process in order for the recovery information to be stored in Active Directory Domain Services (AD DS), or
  2. If a machine has already been encrypted, you can force it to store its information in Active directory by opening up powershell. Once open:
    • Type "manage-bde -protectors -get c:" to get its bitlocker information
    • Then type "manage-bde -protectors -adbackup c: -id '{<numerical password ID>}'"

If you enable BitLocker as part of a Microsoft Deployment Toolkit (MDT) task, then you will need to enable an additional GPO setting:

  1. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption
  2. Select Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
  3. Enable the policy and ensure the following options are in place:
    • Require BitLocker backup to AD DS: Checked
    • Select BitLocker recovery information to store: Recovery passwords and key packages

Regardless of the method used to enable BitLocker, it is important that you verify that the BitLocker Recovery Key exists in either AD DS or in a recovery key file that you secure prior to deploying the system for use.

 

BitLocker Key Recovery Process

If you need to unlock a disk on a machine using BitLocker a department administrator may retrieve the recovery key from AD DS using Active Directory Users and Computers (ADUC) or Powershell. You must be an administrator for the OU in order to read BitLocker Recovery keys form AD DS.

If the department administrator does not have access or is otherwise unavailable, please submit a help request which includes the recovery key identification (the first 8 characters at least) and, optionally, the computer name.

Retrieving via ADUC:

  1. Open up Active Directory Users and Computers (ADUC)
  2. Open the computer object properties pane
  3. Navigate to the "BitLocker Recovery" tab.

ADUC test-testcomputer01 properties, BitLcoker Properties tab showing obfiscated recovery key

Retrieving via ADUC if you only have the Recovery ID:

  1. Open up Active Directory Users and Computers (ADUC)
  2. Right-Click on the domain "ou.ad3.ucdavis.edu"
  3. Select "Find BitLocker recovery password"
  4. Enter in the first 8 characters of the recovery ID and click "Search" 

Installing BitLocker Password Viewer: 

If the "BitLocker Recovery" tab or the "Find BitLocker recovery password" option is missing, then install the Remote Server Administration Tools (RAST) "BitLocker Recovery Password Viewer"

Add Roles and Features -> Features -> Remote Server Administration Tools -> Feature Administration Tools -> BitLocker Drive Encryption Administration Utilities -> BitLocker Recovery Password Viewer

Add Roles and Features, RSAT, BitLocker Recovery Password Viewer

Retrieving via PowerShell:

Run the following command replacing 'TEST-TestComputer01' with the AD computer name that you are retrieving the key for.

Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase (get-adcomputer "TEST-TestComputer01").DistinguishedName -Properties 'msFVE-RecoveryPassword'

If you do not know the computer name, but you do know the 'Recovery ID', then use the following replacing 'ABCD1234-ABCD-1234-AA11-A1B2C3D4E6F7' with the ID that you are retrieving the key for.

Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -Properties 'cn','msFVE-RecoveryPassword' | ? {$_.cn -match "ABCD1234-ABCD-1234-AA11-A1B2C3D4E6F7"} 

 

More information from Microsoft on BitLocker encryption and implementation:

Windows 7:

http://technet.microsoft.com/en-us/library/ee706521(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc731549(v=ws.10).aspx

Windows 8:

http://technet.microsoft.com/en-us/library/hh831713.aspx

Authored by IET
Last modified 2020-06-01 11:40:34 AM