Storing BitLocker information in AD

Create a Group Policy Object to enable storing recovery information in AD

The GPO performs 2 functions:

  • Configures all the required settings to allow recovery information storage in AD
  • Computer Configuration > Administrative Templates > System > Trusted Platform Module Services > Turn on TPM backup to Active Directory Domain Services
    • Turn on TPM backup to Active Directory Domain Services (ENABLED)
  • Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
    • Store BitLocker recovery information in Active Directory Domain Services (ENABLED)
    • Require BitLocker backup to AD DS (ENABLED)
    • Select BitLocker recovery information to store (Recovery passwords and key packages)
  • Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives
    • Choose how BitLocker-protected fixed drives can be recovered (Enabled)
    • Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives (Enabled)

  • Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

    • Choose how BitLocker-protected fixed drives can be recovered (Enabled)
    • Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives (Enabled)

  • Defines a Startup Script that executes on the intended machines to store each encrypted volume's recovery information

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
## Create required registry entries to backup recovery information to AD
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSActiveDirectoryBackup -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name FDVActiveDirectoryBackup -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name RDVActiveDirectoryBackup -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSRecovery -Value 1 -PropertyType DWORD -Force

## Get fixed drives
$volumes = (Get-WmiObject -Class Win32_LogicalDisk |
  Where-Object -FilterScript {
    $_.drivetype -eq 3
  } |
  ForEach-Object -Process {
    Get-PSDrive -Name $_.deviceid[0]
}).Name

foreach ($volume in $volumes)
{
  $volume += ':'
  $KeyProtectorID = ((Get-BitLockerVolume -MountPoint $volume).KeyProtector | Where-Object -Property KeyProtectorType -EQ -Value RecoveryPassword).KeyProtectorID
  Backup-BitLockerKeyProtector -MountPoint "$volume" -KeyProtectorId "$KeyProtectorID" -ErrorAction SilentlyContinue
}

This GPO has a WMI FIlter applied so that it only executes when a machine is connected to a corporate subnet.

1
Select * FROM Win32_IP4RouteTable WHERE (Mask='255.255.255.255' AND (Destination Like '172.98.%' OR Destination Like '172.99.%'))

AD computer object Bitlocker properties tab

To enable the Bitlocker Recovery Password Viewer tab on a computer properties tab:

1
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

A new tab - Bitlocker Recovery with some information - is now available on computer object (possibly pending a server restart):

  • Recovery Key : this key must be given to the user if needed.
  • Computer name and date
  • Password ID: User must give you this information. (First 8 digit)

Get a report on all Bitlocker recovery information stored in AD

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
function Get-WinADDomainBitlocker {

    $Properties = @(
        'Name',
        'OperatingSystem',
        'DistinguishedName'
    )
    #[DateTime] $CurrentDate = Get-Date

    if ($null -eq $Computers) {
        $Computers = Get-ADComputer -Filter { OperatingSystem -NotLike 'Windows*Server*' -and Enabled -eq $true } -Properties $Properties -Server $Domain
    }
    foreach ($Computer in $Computers) {
        $Bitlockers = Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"' -SearchBase $Computer.DistinguishedName -Properties 'WhenCreated', 'msFVE-RecoveryPassword'

        foreach ($Bitlocker in $Bitlockers) {
            [PSCustomObject] @{
                'Name'                        = $Computer.Name
                'Operating System'            = $Computer.'OperatingSystem'
                'Bitlocker Recovery Password' = $Bitlocker.'msFVE-RecoveryPassword'
                'Bitlocker When'              = $Bitlocker.WhenCreated
                'DistinguishedName'           = $Computer.'DistinguishedName'
            }
        }
    }
}
$MyBitlocker = Get-WinADDomainBitlocker
$MyBitlocker | Out-GridView

Optional: Use the startup script to enable Bitlocker on all unencrypted volumes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
## Initialize TPM
Initialize-Tpm

## Get fixed drives
$volumes = (Get-WmiObject -Class Win32_LogicalDisk |
  Where-Object -FilterScript {
    $_.drivetype -eq 3
  } |
  ForEach-Object -Process {
    Get-PSDrive -Name $_.deviceid[0]
}).Name

foreach ($volume in $volumes)
{
  $volume += ':'

  ## Enable encryption
  Enable-BitLocker -MountPoint $volume -SkipHardwareTest -UsedSpaceOnly -RecoveryPasswordProtector

  if ($volume -ne 'c:')
  {
    Enable-BitLockerAutoUnlock $volume
  }
  ## Create required registry entries to backup recovery information to AD
  New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Force
  New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSActiveDirectoryBackup -Value 1 -PropertyType DWORD -Force
  New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSRecovery -Value 1 -PropertyType DWORD -Force

  $KeyProtectorID = ((Get-BitLockerVolume -MountPoint $volume).KeyProtector | Where-Object -Property KeyProtectorType -EQ -Value RecoveryPassword).KeyProtectorID
  Backup-BitLockerKeyProtector -MountPoint "$volume" -KeyProtectorId "$KeyProtectorID"
}