Step-by-Step Guide to Backup/Restore BitLocker recovery information to/from Active Directory

In this scenario you will back up the BitLocker recovery information on Example-Server01 in Active Directory and also later retrieve the recovery key from Active Directory on another server and use it to access Example-Server01 again.

Task 1: Create a BitLocker recovery certificate template and issue a new recovery certificate

  1. Log on to Example-DC01 (Domain Controller).
  2. Open the Start screen and type Certification Authority and press Enter.
  3. In the left pane, expand Example-Example-DC01-CA and right click Certificate Templates and click Manage.
  4. On the Certificate Templates Console, right click Key Recovery Agent and click Duplicate Template.
  5. On the Properties of New Template window, select the Extensions tab, click Edit and on the Edit Application Policies Extension dialog box then click Add.
  6. Select BitLocker Drive Encryption and BitLocker Data Recovery Agent and then click OK twice.
  7. Click the General tab and type BitLocker Key Recovery as the Template display name, select Publish certificate in Active Directory and then click OK.
  8. Close both the Certificate Templates Console and Certification Authority windows.
  9. Open the Start screen and type cmd.exe and press Enter.
  10. Type the following commands and press Enter after each line to create a recovery certificate on the desktop:
    • cd desktop
    • cipher.exe /r:Recovery-Cert
  11. Open the Start screen and type Group Policy Management and press Enter.
  12. Expand the following nodes Forest: > Domains > > Group Policy Objects and right click Default Domain Policy and click Edit.
  13. On the Group Policy Management Editor window, expand the following nodes Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and right click BitLocker Drive Encryption and click Add Data Recovery Agent.
  14. On the Welcome to the Add Recovery Agent Wizard page, click Next.
  15. On the Select Recovery Agents wizard page, click Browse Folders and click Next.
  16. Select Recovery-Cert.cer from the desktop and click Open and in the confirmation dialog box click Yes and then click Next.
  17. On the Completing the Add Recovery Agent Wizard page, click Finish.
  18. Open the Start screen and type certmgr.msc and press Enter.
  19. In the left pane expand Certificates – Current User > Trusted Root Certification Authorities and right click Certificates and click All Tasks > Import.
  20. On the Welcome to the Certificate Import Wizard page, click Next.
  21. On the File to Import page, click Browse, select Recovery-Cert.cer from the desktop and click Open and then click Next twice and then Finish.

Continue reading

Step-By-Step Guide to Implement and Configure BitLocker Drive Encryption on Windows Server 2012 R2

In the first part of this guide you will learn how to install the BitLocker Drive Encryption feature on a Windows Server 2012 R2.

  1. Log on to Example-Server01.
  2. On the Start screen click Server Manager.
  3. On the Server Manager window, click Manage on the top right and from the menu select Add Roles and Features.
  4. On the Before you begin page, click Next.
  5. On the Select installation type page, select Role-based or feature-based installation and click Next.
  6. On the Select destination server page, select Select a server from the server pool and then select from the Server pool in the middle table and click Next.
  7. On the Select server roles page, click Next.
  8. On the Select features page, select BitLocker Drive Encryption from the list and in the new dialog box select Include management tools (if applicable) and click Add Features.
  9. On the WDS page, click Next.
  10. On the Select role services page, click Deployment Server and Transport Server and click Next.
  11. On the Confirm installation selections, Click Install.
  12. Once the installation finished successfully, click Close.

Continue reading

Backing Up Bitlocker and TPM Recovery Information into Active Directory

The use of Bitlocker Drive Encryption in an enterprise has always been tempting for security engineers because of the fact that it can add another layer of security to the network by encrypting the data stored on the disk. Even when the PC is hibernated, the hibernation data is also encrypted and safe; so this is what makes it so tempting…

And on the other hand, what makes administrators avoid using it in their enterprise networks is the fear of those less careful employees losing their passwords and recovery keys with a hard disk fully encrypted not being able to read a single bit of data from it…

Today I want to pretty simply show you how to store Bitlocker and of course TPM Recovery information into Active Directory even if you do not have a great knowledge of Active Directory, so stay with me…

What is TPM?

TPM or Trusted Platform Module is a microchip built into your PC to keep cryptographic information. Bitlocker information is also one of that kind of information that a TPM will keep. In order to keep the cryptographic information safe on your TPM, you need to create a TPM PIN. In order for Bitlocker to use TPM for storing its information on, the TPM version must be 1.2 or higher, otherwise Bitlocker could use a Flash Memory to store its information…

Now what if you forget both your TPM PIN or Bitlocker Recovery Password or key? They must be stored somewhere to be able to retrieve and use them whenever we want. right? What’s a better place than Active Directory?

Step One: (Extend your Active Directory Schema)

Keep in mind these points:

  • If you have Windows Server 2008 Beta 3 (Which of course you do not have it now) or later, you do not need to extend your AD schema as it is already extended.
  • If you have Windows Server 2003 SP1 or Windows Server 2008 Beta 2 or earlier, you have to extend your AD schema.
  • If you have Windows Server 2003 without Service Pack 1 installed, you cannot extend your schema.

You can check the version of your Windows Server by right clicking on the Computer icon and clicking on Properties.

Now if you need to extend your AD schema, here is the easy step. download this file here. unzip the file and there is a script in it called: BitLockerTPMSchemaExtension.ldf

In your forest, you should log into the domain controller which is your schema master role holder and of course your user must be a member of the Schema Admins group.

Now it is time to run a command to make use of the LDF script above:

ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c “DC=X” “DC=nttest,dc=microsoft,dc=com” -k -j .

“-k” option will ignore “Object Already Exists” errors and “-j” option will create a log file for the process in the same working directory.

In order to check to see whether extending AD Schema has been successful, in the click on Run and type in adsiedit.msc and then press Enter to see the following windows:

Open the schema container and then look for the following objects that must have been created there:

  • CN= ms-FVE-KeyPackage – attributeSchema object
  • CN=ms-FVE-RecoveryGuid – attributeSchema object
  • CN=ms-FVE-RecoveryInformation – classSchema object
  • CN=ms-FVE-RecoveryPassword – attributeSchema object
  • CN=ms-FVE-VolumeGuid – attributeSchema object
  • CN=ms-TPM-OwnerInformation – attributeSchema object

If they are there like the picture above, you are done with the Active Directory extension and let’s proceed to the next step…

Step Two:

Now you need to add the permission so that we are able to back up TMP recovery information. In the same zipped file, there is another script named as: Add-TPMSelfWriteACE.vbs

Run this script using this command:

Cscript Add-TPMSelfWriteACE.vbs

Your Domain Administrator account must be a member of the domain that you are running this command in.

and then done…

Step Three:

Then at the end we need to configure the group policy settings so that both the TPM and Bitlocker recovery information will be stored in Active Directory:

In order to store Bitlocker recovery information into AD:

Open up Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption and then click on Turn on Bitlocker backup to Active Directory and then enable it

In order to turn on TPM recovery information backup into AD:

Open up Group Policy -> Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services and then click on Turn on TPM backup to Active Directory and then enable it

This was all you needed to do…

You want to learn more specifically about BitLocker and recovery in different scenarios? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


Thanks for being with me and taking your time to read this