Step-by-Step Guide to Backup/Restore BitLocker recovery information to/from Active Directory

In this scenario you will back up the BitLocker recovery information on Example-Server01 in Active Directory and also later retrieve the recovery key from Active Directory on another server and use it to access Example-Server01 again.

Task 1: Create a BitLocker recovery certificate template and issue a new recovery certificate

  1. Log on to Example-DC01 (Domain Controller).
  2. Open the Start screen and type Certification Authority and press Enter.
  3. In the left pane, expand Example-Example-DC01-CA and right click Certificate Templates and click Manage.
  4. On the Certificate Templates Console, right click Key Recovery Agent and click Duplicate Template.
  5. On the Properties of New Template window, select the Extensions tab, click Edit and on the Edit Application Policies Extension dialog box then click Add.
  6. Select BitLocker Drive Encryption and BitLocker Data Recovery Agent and then click OK twice.
  7. Click the General tab and type BitLocker Key Recovery as the Template display name, select Publish certificate in Active Directory and then click OK.
  8. Close both the Certificate Templates Console and Certification Authority windows.
  9. Open the Start screen and type cmd.exe and press Enter.
  10. Type the following commands and press Enter after each line to create a recovery certificate on the desktop:
    • cd desktop
    • cipher.exe /r:Recovery-Cert
  11. Open the Start screen and type Group Policy Management and press Enter.
  12. Expand the following nodes Forest: Example.com > Domains > Example.com > Group Policy Objects and right click Default Domain Policy and click Edit.
  13. On the Group Policy Management Editor window, expand the following nodes Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and right click BitLocker Drive Encryption and click Add Data Recovery Agent.
  14. On the Welcome to the Add Recovery Agent Wizard page, click Next.
  15. On the Select Recovery Agents wizard page, click Browse Folders and click Next.
  16. Select Recovery-Cert.cer from the desktop and click Open and in the confirmation dialog box click Yes and then click Next.
  17. On the Completing the Add Recovery Agent Wizard page, click Finish.
  18. Open the Start screen and type certmgr.msc and press Enter.
  19. In the left pane expand Certificates – Current User > Trusted Root Certification Authorities and right click Certificates and click All Tasks > Import.
  20. On the Welcome to the Certificate Import Wizard page, click Next.
  21. On the File to Import page, click Browse, select Recovery-Cert.cer from the desktop and click Open and then click Next twice and then Finish.

Task 2: Configure policies and commands to allow BitLocker recovery information to be backed up in Active Directory

  1. Log on to Example-DC01 as Example.com\Administrator and open the Start screen and type cmd.exe and press Enter.
  2. Download these VBScripts from here and put them in the BitLocker_Scripts folder on C: Drive.
  3. In the command prompt window, type the following commands and press Enter after each line:
    • Cd\
    • Cd BitLocker_Scripts
    • Cscript Add-TPMSelfWriteACE.vbs
  4. Log on to Example-Server01.
  5. Open the Start screen and type gpedit.msc and then press Enter.
  6. On the Local Group Policy Editor window, expand the following nodes in the left pane: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives and then double click Choose how BitLocker-protected operating system drives can be recovered.
  7. On the new window, click Enabled and ensure the following items are selected and then click OK:
    • Allow data recovery agent
    • Save BitLocker recovery information to AD DS for operating system drives
    • Store recovery password and key packages
    • Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
  8. Expand the following nodes in the left pane: Computer Configuration > Administrative Templates > System > Trusted Platform Module Services and then double click Turn on TPM backup to Active Directory Domain Services.
  9. On the new window, click Enabled and then click OK.
  10. Go to Control Panel > System and Security > BitLocker Drive Encryption and beside drive C click Turn on BitLocker.
  11. On the Choose how you want to unlock this drive page, click Use a password to unlock the drive and type P@ssw0rdBL in both password fields.
  12. On the How do you want to back up your recovery key? page, click Save to a file and select \\Example-DC01\C$ as the location and click Save and then click Next.
  13. On the Are you ready to encrypt this drive? Page, click Start encrypting to begin the BitLocker encryption process.
  14. On the existing command prompt window enter the following command and then press Enter:
    • Cscript List-ACEs.vbs
  15. Make sure you can see results like the following:
    • Accessing
    • > AceFlags: 10
    • > AceType: 5
    • > Flags: 3
    • > AccessMask: 32
    • > ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}
    • > InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}
    • > Trustee: NT AUTHORITY\SELF
    • 1 ACE(s) found in DC=Example,DC=com related to BitLocker and TPM
  16. On the existing command prompt window, enter the following command and then press Enter to be able to see all available key protectors on the server:
    • Manage-bde –protectors –get C:
  17. On the existing command prompt window, enter the following command and then press Enter to back up the BitLocker recovery information to Active Directory. You will need to replace {GUID} with the ID below the Numerical Password in the previous command result:
    • Manage-bde –protectors –adbackup C: -id {GUID}

Task 3: Restore the BitLocker recovery key and use it to access the server

  1. Log on to Example-DC01 as Example.com\Administrator and open the Start screen and type cmd.exe and then press Enter.
  2. Enter the following commands in the command prompt window and press Enter after each line:
    • Cd\
    • Cd BitLocker_Script
    • Cscript Get-BitLockerRecoveryInfo.vbs Example-Server01
  3. In the result of the previous command, note down the 48-digit BitLocker recovery password beside msFVE-RecoveryPassword.
  4. Reboot Example-Server01 and once prompted with the Enter the password to unlock this drive screen, enter the 48-digit recovery password to unlock the drive and boot into Windows Server 2012 R2.
Results: As explained in the steps above, at the end of this exercise you are able to use another computer/server to retrieve the BitLocker recovery password for Example-Server01 from Active Directory and use it to unlock the BitLocker-protected drive and boot it into Windows.

If you are interested in security and you want more of these detailed step-by-step guides, you could have a look at my recently published ebook by clicking on the book cover below:

Security_on_Windows_2012

Leave a Reply

Your email address will not be published. Required fields are marked *