Backing Up Bitlocker and TPM Recovery Information into Active Directory

The use of Bitlocker Drive Encryption in an enterprise has always been tempting for security engineers because of the fact that it can add another layer of security to the network by encrypting the data stored on the disk. Even when the PC is hibernated, the hibernation data is also encrypted and safe; so this is what makes it so tempting…

And on the other hand, what makes administrators avoid using it in their enterprise networks is the fear of those less careful employees losing their passwords and recovery keys with a hard disk fully encrypted not being able to read a single bit of data from it…

Today I want to pretty simply show you how to store Bitlocker and of course TPM Recovery information into Active Directory even if you do not have a great knowledge of Active Directory, so stay with me…

What is TPM?

TPM or Trusted Platform Module is a microchip built into your PC to keep cryptographic information. Bitlocker information is also one of that kind of information that a TPM will keep. In order to keep the cryptographic information safe on your TPM, you need to create a TPM PIN. In order for Bitlocker to use TPM for storing its information on, the TPM version must be 1.2 or higher, otherwise Bitlocker could use a Flash Memory to store its information…

Now what if you forget both your TPM PIN or Bitlocker Recovery Password or key? They must be stored somewhere to be able to retrieve and use them whenever we want. right? What’s a better place than Active Directory?

Step One: (Extend your Active Directory Schema)

Keep in mind these points:

  • If you have Windows Server 2008 Beta 3 (Which of course you do not have it now) or later, you do not need to extend your AD schema as it is already extended.
  • If you have Windows Server 2003 SP1 or Windows Server 2008 Beta 2 or earlier, you have to extend your AD schema.
  • If you have Windows Server 2003 without Service Pack 1 installed, you cannot extend your schema.

You can check the version of your Windows Server by right clicking on the Computer icon and clicking on Properties.

Now if you need to extend your AD schema, here is the easy step. download this file here. unzip the file and there is a script in it called: BitLockerTPMSchemaExtension.ldf

In your forest, you should log into the domain controller which is your schema master role holder and of course your user must be a member of the Schema Admins group.

Now it is time to run a command to make use of the LDF script above:

ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c “DC=X” “DC=nttest,dc=microsoft,dc=com” -k -j .

“-k” option will ignore “Object Already Exists” errors and “-j” option will create a log file for the process in the same working directory.

In order to check to see whether extending AD Schema has been successful, in the click on Run and type in adsiedit.msc and then press Enter to see the following windows:

Open the schema container and then look for the following objects that must have been created there:

  • CN= ms-FVE-KeyPackage – attributeSchema object
  • CN=ms-FVE-RecoveryGuid – attributeSchema object
  • CN=ms-FVE-RecoveryInformation – classSchema object
  • CN=ms-FVE-RecoveryPassword – attributeSchema object
  • CN=ms-FVE-VolumeGuid – attributeSchema object
  • CN=ms-TPM-OwnerInformation – attributeSchema object

If they are there like the picture above, you are done with the Active Directory extension and let’s proceed to the next step…

Step Two:

Now you need to add the permission so that we are able to back up TMP recovery information. In the same zipped file, there is another script named as: Add-TPMSelfWriteACE.vbs

Run this script using this command:

Cscript Add-TPMSelfWriteACE.vbs

Your Domain Administrator account must be a member of the domain that you are running this command in.

and then done…

Step Three:

Then at the end we need to configure the group policy settings so that both the TPM and Bitlocker recovery information will be stored in Active Directory:

In order to store Bitlocker recovery information into AD:

Open up Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption and then click on Turn on Bitlocker backup to Active Directory and then enable it

In order to turn on TPM recovery information backup into AD:

Open up Group Policy -> Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services and then click on Turn on TPM backup to Active Directory and then enable it

This was all you needed to do…

You want to learn more specifically about BitLocker and recovery in different scenarios? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


Thanks for being with me and taking your time to read this