How to Store BitLocker Recovery Keys in Active Directory (AD DS)

Did you know you could store BitLocker Recovery Keys within Active Directory? Well, you can and it is a very handy tool.


Prerequisites
  • Windows 10 Pro, Windows 10 Education, or Windows 10 Enterprise Edition.
  • Domain connected computer
  • Active Directory Domain Services
  • Group Policy Management
  • PowerShell (optional)

How to Implement

You will need to activate a few group policies (GPOs) before you can start storing BitLocker Recovery Keys within Active Directory.
Open the Group Policy Management and create a new GPO. If you are familiar with GPO and creating them, within your organization, you should know where to place the GPO.

Generally, there should be a "Workstations" OU, you should link the newly created GPO under. However, every organization's setup is different.

If you do have a "Workstations" OU right-click the OU and select "Create a GPO in this Domain, and Link it here..." Name the GPO BitLocker Recovery Storage. Right-click the newly created GPO and click Edit.
Under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption configure the following GPO settings:

Fixed Data Drives


Policy
Setting
Comment
Choose how BitLocker-protected fixed drives can be recovered
Enabled

Allow data recovery agent
Disabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Require 256-bit recovery key
Omit recovery options from the BitLocker setup wizard
Disabled
Save BitLocker recovery information to AD DS for fixed data drives
Enabled
Configure storage of BitLocker recovery information to AD DS:
Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
Enabled

Operating System Drives

Policy
Setting
Comment
Choose how BitLocker-protected operating system drives can be recovered
Enabled

Allow data recovery agent
Disabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard
Disabled
Save BitLocker recovery information to AD DS for operating system drives
Enabled
Configure storage of BitLocker recovery information to AD DS:
Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
Enabled

Removable Data Drives

Policy
Setting
Comment
Choose how BitLocker-protected removable drives can be recovered
Enabled

Allow data recovery agent
Disabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Require 256-bit recovery key
Omit recovery options from the BitLocker setup wizard
Disabled
Save BitLocker recovery information to AD DS for removable data drives
Enabled
Configure storage of BitLocker recovery information to AD DS:
Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for removable data drives
Enabled

Now that the above GPO settings have been enabled once you initiate a BitLocker encryption on a device the BitLocker Recovery Key information will be stored under the BitLocker Recovery tab within the device properties in AD DS for later use.
Note, that this process is not retroactive. Meaning, starting from the point you enabled the above GPOs all newly BitLocker encrypted devices will be automatically stored.

The device you previously encrypted using BitLocker will not be automatically stored. You can manually store the encryption recovery key data using PowerShell.

PowerShell Script to Manually Add Recovery Key Information for Previously Encrypted Devices.
Open an elevated PowerShell instance.

First, you need to get the recovery key ID, type the following PowerShell command:

PS> manage-bde -cn -protectors -get C:

The above command will output information similar to the below data:

Volume C: [Windows]
All Key Protectors
TPM:
ID: {00000000-0000-0000-0000-000000000000}
PCR Validation Profile:
0, 2, 4, 5, 8, 9, 10, 11
Numerical Password:
ID: {00000000-0000-0000-0000-000000000000}
Password:
000000-000000-000000-000000-000000-000000-000000-000000

From the output above, you are going to want to copy the ID number below the Numerical Password section ({00000000-0000-0000-0000-000000000000}).

After copying the ID type the following PowerShell command:

PS> manage-bde -cn -protectors -adbackup C: -id "{00000000-0000-0000-0000-000000000000}"

The above PowerShell command should produce the following output:

BitLocker Drive Encryption: Configuration Tool version 10.0.15063
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.

If you receive, the above output the computers BitLocker Recovery Key data was successfully backed up to AD DS.
If you had a small number of computers, you could easily remote into each and complete the above scripts.

You may want to approach grabbing the recovery key data a bit differently for a larger amout of computers.


comments powered by Disqus