In this scenario you will back up the BitLocker recovery information on Example-Server01 in Active Directory and also later retrieve the recovery key from Active Directory on another server and use it to access Example-Server01 again.
Task 1: Create a BitLocker recovery certificate template and issue a new recovery certificate
- Log on to Example-DC01 (Domain Controller).
- Open the Start screen and type Certification Authority and press Enter.
- In the left pane, expand Example-Example-DC01-CA and right click Certificate Templates and click Manage.
- On the Certificate Templates Console, right click Key Recovery Agent and click Duplicate Template.
- On the Properties of New Template window, select the Extensions tab, click Edit and on the Edit Application Policies Extension dialog box then click Add.
- Select BitLocker Drive Encryption and BitLocker Data Recovery Agent and then click OK twice.
- Click the General tab and type BitLocker Key Recovery as the Template display name, select Publish certificate in Active Directory and then click OK.
- Close both the Certificate Templates Console and Certification Authority windows.
- Open the Start screen and type cmd.exe and press Enter.
- Type the following commands and press Enter after each line to create a recovery certificate on the desktop:
- cd desktop
- cipher.exe /r:Recovery-Cert
- Open the Start screen and type Group Policy Management and press Enter.
- Expand the following nodes Forest: Example.com > Domains > Example.com > Group Policy Objects and right click Default Domain Policy and click Edit.
- On the Group Policy Management Editor window, expand the following nodes Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and right click BitLocker Drive Encryption and click Add Data Recovery Agent.
- On the Welcome to the Add Recovery Agent Wizard page, click Next.
- On the Select Recovery Agents wizard page, click Browse Folders and click Next.
- Select Recovery-Cert.cer from the desktop and click Open and in the confirmation dialog box click Yes and then click Next.
- On the Completing the Add Recovery Agent Wizard page, click Finish.
- Open the Start screen and type certmgr.msc and press Enter.
- In the left pane expand Certificates – Current User > Trusted Root Certification Authorities and right click Certificates and click All Tasks > Import.
- On the Welcome to the Certificate Import Wizard page, click Next.
- On the File to Import page, click Browse, select Recovery-Cert.cer from the desktop and click Open and then click Next twice and then Finish.
Task 2: Configure policies and commands to allow BitLocker recovery information to be backed up in Active Directory
- Log on to Example-DC01 as Example.com\Administrator and open the Start screen and type cmd.exe and press Enter.
- Download these VBScripts from here and put them in the BitLocker_Scripts folder on C: Drive.
- In the command prompt window, type the following commands and press Enter after each line:
- Cd\
- Cd BitLocker_Scripts
- Cscript Add-TPMSelfWriteACE.vbs
- Log on to Example-Server01.
- Open the Start screen and type gpedit.msc and then press Enter.
- On the Local Group Policy Editor window, expand the following nodes in the left pane: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives and then double click Choose how BitLocker-protected operating system drives can be recovered.
- On the new window, click Enabled and ensure the following items are selected and then click OK:
- Allow data recovery agent
- Save BitLocker recovery information to AD DS for operating system drives
- Store recovery password and key packages
- Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
- Expand the following nodes in the left pane: Computer Configuration > Administrative Templates > System > Trusted Platform Module Services and then double click Turn on TPM backup to Active Directory Domain Services.
- On the new window, click Enabled and then click OK.
- Go to Control Panel > System and Security > BitLocker Drive Encryption and beside drive C click Turn on BitLocker.
- On the Choose how you want to unlock this drive page, click Use a password to unlock the drive and type P@ssw0rdBL in both password fields.
- On the How do you want to back up your recovery key? page, click Save to a file and select \\Example-DC01\C$ as the location and click Save and then click Next.
- On the Are you ready to encrypt this drive? Page, click Start encrypting to begin the BitLocker encryption process.
- On the existing command prompt window enter the following command and then press Enter:
- Cscript List-ACEs.vbs
- Make sure you can see results like the following:
- Accessing
- > AceFlags: 10
- > AceType: 5
- > Flags: 3
- > AccessMask: 32
- > ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}
- > InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}
- > Trustee: NT AUTHORITY\SELF
- 1 ACE(s) found in DC=Example,DC=com related to BitLocker and TPM
- On the existing command prompt window, enter the following command and then press Enter to be able to see all available key protectors on the server:
- Manage-bde –protectors –get C:
- On the existing command prompt window, enter the following command and then press Enter to back up the BitLocker recovery information to Active Directory. You will need to replace {GUID} with the ID below the Numerical Password in the previous command result:
- Manage-bde –protectors –adbackup C: -id {GUID}
Task 3: Restore the BitLocker recovery key and use it to access the server
- Log on to Example-DC01 as Example.com\Administrator and open the Start screen and type cmd.exe and then press Enter.
- Enter the following commands in the command prompt window and press Enter after each line:
- Cd\
- Cd BitLocker_Script
- Cscript Get-BitLockerRecoveryInfo.vbs Example-Server01
- In the result of the previous command, note down the 48-digit BitLocker recovery password beside msFVE-RecoveryPassword.
- Reboot Example-Server01 and once prompted with the Enter the password to unlock this drive screen, enter the 48-digit recovery password to unlock the drive and boot into Windows Server 2012 R2.
Results: As explained in the steps above, at the end of this exercise you are able to use another computer/server to retrieve the BitLocker recovery password for Example-Server01 from Active Directory and use it to unlock the BitLocker-protected drive and boot it into Windows. |
If you are interested in security and you want more of these detailed step-by-step guides, you could have a look at my recently published ebook by clicking on the book cover below: