Step-by-Step Guide to Backup/Restore BitLocker recovery information to/from Active Directory

In this scenario you will back up the BitLocker recovery information on Example-Server01 in Active Directory and also later retrieve the recovery key from Active Directory on another server and use it to access Example-Server01 again.

Task 1: Create a BitLocker recovery certificate template and issue a new recovery certificate

  1. Log on to Example-DC01 (Domain Controller).
  2. Open the Start screen and type Certification Authority and press Enter.
  3. In the left pane, expand Example-Example-DC01-CA and right click Certificate Templates and click Manage.
  4. On the Certificate Templates Console, right click Key Recovery Agent and click Duplicate Template.
  5. On the Properties of New Template window, select the Extensions tab, click Edit and on the Edit Application Policies Extension dialog box then click Add.
  6. Select BitLocker Drive Encryption and BitLocker Data Recovery Agent and then click OK twice.
  7. Click the General tab and type BitLocker Key Recovery as the Template display name, select Publish certificate in Active Directory and then click OK.
  8. Close both the Certificate Templates Console and Certification Authority windows.
  9. Open the Start screen and type cmd.exe and press Enter.
  10. Type the following commands and press Enter after each line to create a recovery certificate on the desktop:
    • cd desktop
    • cipher.exe /r:Recovery-Cert
  11. Open the Start screen and type Group Policy Management and press Enter.
  12. Expand the following nodes Forest: Example.com > Domains > Example.com > Group Policy Objects and right click Default Domain Policy and click Edit.
  13. On the Group Policy Management Editor window, expand the following nodes Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and right click BitLocker Drive Encryption and click Add Data Recovery Agent.
  14. On the Welcome to the Add Recovery Agent Wizard page, click Next.
  15. On the Select Recovery Agents wizard page, click Browse Folders and click Next.
  16. Select Recovery-Cert.cer from the desktop and click Open and in the confirmation dialog box click Yes and then click Next.
  17. On the Completing the Add Recovery Agent Wizard page, click Finish.
  18. Open the Start screen and type certmgr.msc and press Enter.
  19. In the left pane expand Certificates – Current User > Trusted Root Certification Authorities and right click Certificates and click All Tasks > Import.
  20. On the Welcome to the Certificate Import Wizard page, click Next.
  21. On the File to Import page, click Browse, select Recovery-Cert.cer from the desktop and click Open and then click Next twice and then Finish.

Continue reading