Skip to main content

Enable Bitlocker Encryption, store Recovery Key in Active Directory

1772 words·
Bitlocker TPM Windows Active Directory GPO
Table of Contents

Enable TPM on VM
#

I’m using VMware Workstation 16 Pro as hypervisor, here are the steps to enable TPM for an VM.

  • Open the VM settings
  • Go to the Options / Access Control, open the Encrypt panel and define a PW
  • Add TPM to VM

Check TPM
#

Start the VM and check if TPM is available:

Open Run Prompt: win + r
Run: tpm.msc

Or use the following PowerShell command:

# Check if TPM is available
Get-TPM 

# Shell Output:
TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : False
ManufacturerId            : 1447909120
ManufacturerIdTxt         : VMW 
ManufacturerVersion       : 2.101.0.1                       
ManufacturerVersionFull20 : 2.101.0.1                                                                         
                                              
ManagedAuthLevel          : Full
OwnerAuth                 : 6Pk1jQE0RDJ+LefE/mzh7XB6/UY= 
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 10 minutes
LockoutCount              : 0
LockoutMax                : 31
SelfTest                  : {}


# List TPM details
Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm

# Shell Output:
__GENUS                     : 2
__CLASS                     : Win32_Tpm
__SUPERCLASS                : 
__DYNASTY                   : Win32_Tpm
__RELPATH                   : Win32_Tpm=@
__PROPERTY_COUNT            : 10
__DERIVATION                : {}
__SERVER                    : JKW-W10-02
__NAMESPACE                 : Root\CIMv2\Security\MicrosoftTpm
__PATH                      : \\JKW-W10-02\Root\CIMv2\Security\MicrosoftTpm:Win32_Tpm=@
IsActivated_InitialValue    : True
IsEnabled_InitialValue      : True
IsOwned_InitialValue        : True
ManufacturerId              : 1447909120
ManufacturerIdTxt           : VMW
ManufacturerVersion         : 2.101.0.1
ManufacturerVersionFull20   : 2.101.0.1
ManufacturerVersionInfo     : VMware TPM2     
PhysicalPresenceVersionInfo : 1.3
SpecVersion                 : 2.0, 0, 1.16
PSComputerName              : JKW-W10-02

Windows Server
#

Add Roles and Features
#

Add the following feature: Bitlocker Drive Encryption Administration Utility

Or install it with PowerShell

# Install the BitLocker management tools on Windows Server
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

Active Directory Requirements to Use BitLocker
#

# Verify if AD schema version has attributes required to store BitLocker recovery keys in Active Directory
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}v| Format-List

# Shell Output:
DistinguishedName : CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name              : ms-FVE-KeyPackage
ObjectClass       : attributeSchema
ObjectGUID        : 7a92eb24-60cf-4f95-a866-258a168b0838

DistinguishedName : CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name              : ms-FVE-RecoveryGuid
ObjectClass       : attributeSchema
ObjectGUID        : b2d19580-61fc-4eb6-80f9-bd61fa396371

DistinguishedName : CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name              : ms-FVE-RecoveryInformation
ObjectClass       : classSchema
ObjectGUID        : 00746808-a932-4464-89c8-0842ea6b61f0

DistinguishedName : CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name              : ms-FVE-RecoveryPassword
ObjectClass       : attributeSchema
ObjectGUID        : bba33f00-4cb4-4f19-b00f-ec54e5f360b8

DistinguishedName : CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=jklug,DC=work
Name              : ms-FVE-VolumeGuid
ObjectClass       : attributeSchema
ObjectGUID        : 9f89a9ec-6290-471a-81c4-bd42f35453dd

Active Directory & GPO
#

Open Active Directory Users and Computers and create a new Organizational Unit for the Bitlocker-Devices, in my case the OU is just called “Bitlocker-Devices”.

Open Group Policy Management and create a new Group Policy Object for the Bitlocker settings, in my case it’s called “Bitlocker”.

Right click the Organizational Unit and link the GPO to the unit:

GPO Settings
#

Edit the GPO as follows:

# Expand the GPO sections:
Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption:

# Enable this policy and configure it as follows:
Store BitLocker Recovery information in Active Directory Domain Services

Require BitLocker backup to AD DS: Enable

Select BitLocker recovery information to store: Recovery passwords and key packages

Depending on the drives you want to encrypt, select one of the sections that are present under: BitLocker Drive Encryption

  • Fixed Data Drives
  • Operating System Drives
  • Removable Data Drives

Fixed Data Drives
#

Configure use of password for fixed data drvies

Configure use of password for fixed data drvies: Enabled

Minimum password length for fixed data drive: 12

Choose how Bitlocker-protected fixed data drives can be recovered

Choose how Bitlocker-protected fixed data drives can be recovered: Enabled

Allow data recovery agent: Checked
    Allow 48-digit recovery password
    Allow 256-bit recovery key

Omit recovery options from the BitLocker setup wizzard: Checked

Save BitLocker recovery information to AD DS for removeable data drives: Checked

Configure storage of BitLocker recovery information to AD DS: Backup recovery passwordsand key packages

Do not enable BitLocker until recovery information is stroed to AD DS for removable data drives: Checked

Operating System Drives
#

Require additional authentication at startup

Require additional authentication at startup: Enabled

# Settings for computer with a TPM
Configure TPM startup: Allow TPM

Configure TPM startup PIN: Allow startup PIN with TPM

Configure TPM startup key: Allow startup key with TPM

Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Configure minimum PIN length for startup

Configure minimum PIN length for startup: Enabled

Minimum characters: 6

Choose how BitLocker-protected operating system drives can be recovered

Choose how BitLocker-protected operating system drives can be recovered: Enabled

Allow data recovery agent: CHecked

Configure user storage of BitLocker recovery information:
    Allow 48-digit recovery password
    Allow 256-bit recovery key

Omit recovery options from the BitLocker setup wizard: Checked

Save BitLocker recovery information to AD DS for operating system drives: Checked

Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages

Do not enable BitLocker unit recovery information is stored to AD DS for operating system drives: Checked

Removable Data Drives
#

Control use of BitLocker on removable drive

Control use of BitLocker on removable drives: Enabled

Allow users to apply BitLocker protection on removable data drives: Checked

Choose how BitLocker-protected removable drives can be recovered

Choose how BitLocker-protected removable drives can be recovered: Enabled

Allow data recovery agent: Checked
    Allow 48-digit recovery password
    Allow 256-bit recovery key

Omit recovery options from the BitLocker setup wizzard: Checked

Save BitLocker recovery information to AD DS for removeable data drives: Checked

Configure storage of BitLocker recovery information to AD DS: Backup recovery passwordsand key packages

Do not enable BitLocker until recovery information is stroed to AD DS for removable data drives: Checked

Enfore the Policy
#

Right click on the GPO and click “Enforced”.

Client
#

Check if the Group Policy does already apply to the VM, run PowerShell as Administrator

# List policy for computer 
gpresult /r /scope computer

# Shell Output
RSOP data for  on JKW-W10-01 : Logging Mode
--------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.19044
Site Name:                   Default-First-Site-Name
Roaming Profile:             
Local Profile:               
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=JKW-W10-01,OU=Bitlocker-Devices,DC=jklug,DC=work
    Last time Group Policy was applied: 7/25/2023 at 4:14:01 PM
    Group Policy was applied from:      WindowsServer2022-primary.jklug.work
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        JKLUG
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Bitlocker # Your GPO should be listed here
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Richtlinien der lokalen Gruppe
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        Administratoren
        Jeder
        Benutzer
        NETZWERK
        Authentifizierte Benutzer
        Diese Organisation
        JKW-W10-01$
        Domain Computers
        Von der Authentifizierungsstelle besttigte ID
        Systemverbindlichkeitsstufe

If not reboot the VM or update the policy

#Update GPO:
gpupdate /force

Enable Bitlocker
#

https://learn.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=windowsserver2022-ps

Note: The Enable-BitLocker cmdlet lets you specify only one combination from the key protectors. Use the Add-BitLockerKeyProtector cmdlet to add more key protectors later on.

RecoveryPasswordProtector
#

TPM automatically unlocks the drive during system startup. A random 48-digit recovery password will be generated automatically.

# Encrypt Drive:
Enable-Bitlocker -MountPoint "C:" -UsedSpaceOnly -RecoveryPasswordProtector

# Shell Output:
WARNING: ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from your computer:

279653-693902-360833-167409-711271-507925-273581-126060

To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encryp
ted volume.


   ComputerName: JKW-W10-01

VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protec
                Point                                   Percentage                           Enabled    tionSt
                                                                                                        atus  
----------      ----- ---------- ------------           ---------- ------------              ---------- ------
OperatingSystem C:         59.38 EncryptionInProgress   65         {Tpm, RecoveryPassword}              Off   
# Follow Encryption Progress
Get-BitLockerVolume -MountPoint "C:" | Format-List

# Shell Output:
ComputerName         : JKW-W10-01
MountPoint           : C:
EncryptionMethod     : XtsAes128
AutoUnlockEnabled    : 
AutoUnlockKeyStored  : False
MetadataVersion      : 2
VolumeStatus         : EncryptionInProgress
ProtectionStatus     : Off
LockStatus           : Unlocked
EncryptionPercentage : 92 # Wait till it's completed
WipePercentage       : 0
VolumeType           : OperatingSystem
CapacityGB           : 59.38076
KeyProtector         : {Tpm, RecoveryPassword}

Add Bitlocker KeyProtector
#

To add another KeyProtector proceed as follows:

# Add a PIN KeyProtector
$SecureString = ConvertTo-SecureString "654321" -AsPlainText -Force
Add-BitLockerKeyProtector -MountPoint "C:" -Pin $SecureString -TpmAndPinProtector

List Recovery Key in AD
#

Open Active Directory Users and Computers, open the Organizational Unit “Bitlocker-Devices” and open the properties of your client:

Or use PowerShell

# Define Computer Name
$ComputerName = "JKW-W10-01"
# List Bitlocker Recovery Key
Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"' -SearchBase (Get-ADComputer $ComputerName).DistinguishedName -Property msFVE-RecoveryPassword | Format-Table msFVE-RecoveryPassword

#Shell Output:
279653-693902-360833-167409-711271-507925-273581-126060

List Recovery Key on Client
#

# List Bitlocker KeyProtector Password
manage-bde -protectors -get c:

# shell Output:
BitLocker-Laufwerkverschlsselung: Konfigurationstool, Version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.

Volume "C:" []
Alle Schluesselschutzvorrichtungen

    Numerisches Kennwort:
      ID: {7760E06A-8CAE-476D-B776-2B18793A69E0} # Nummerical Password ID
      Kennwort:
        605869-464398-324753-556105-437536-027181-309430-570614

    TPM und PIN:
      ID: {56E6792D-EE6C-4349-8D2F-C97DBB195150}
      PCR-Validierungsprofil:
        0, 2, 4, 11

Manaully save Recovery Key to AD
#

If the Domain Controller was not reachable during the creation of the recovery password, you can manually save it to Active Directory.

# Save Recovery Key to Active Directory: Use the Nummerical Password ID
manage-bde -protectors -adbackup c: -id {7760E06A-8CAE-476D-B776-2B18793A69E0}

# Shell Output
Recovery information was successfully backed up to Active Directory.

Suspend and Disable Bitlocker
#

Suspend Bitlocker Encryption
#

# Suspend Bitlocker: Till manually resumed
Suspend-BitLocker -MountPoint "C:" -RebootCount 0

# Resume Bitlocker
Resume-BitLocker -MountPoint "C:"

While suspended, BitLocker does not validate system integrity at start up. You might suspend BitLocker protection for firmware upgrades or system updates. You can specify the number of times that a computer restarts before the BitLocker suspension ends by using the RebootCount parameter.

  • RebootCount Specify a value between 0 to 15

Disable Bitlocker Enryption
#

# Disable BitLocker protection 
Disable-BitLocker -MountPoint "C:"

# Check Decryption Status: List Output
Get-BitLockerVolume -MountPoint "C:" | Format-List


# Shell Output:
ComputerName         : JKW-W10-01
MountPoint           : C:
EncryptionMethod     : None
AutoUnlockEnabled    : 
AutoUnlockKeyStored  : 
MetadataVersion      : 0
VolumeStatus         : FullyDecrypted # Wait till complete
ProtectionStatus     : Off
LockStatus           : Unlocked
EncryptionPercentage : 0
WipePercentage       : 0
VolumeType           : OperatingSystem
CapacityGB           : 59.38076
KeyProtector         : {}

Remove Bitlocker protector
#

Note: If you remove all Bitlocker KeyProtectors before you disable Bitlocker, there is no way to unlock Bitlocker!

List KeyProtectorId
#

# Display all KeyProtectors for the volume
$BitLockerVolume = Get-BitLockerVolume -MountPoint "C:"
$BitLockerVolume.KeyProtector | Format-Table

Shell Output:

KeyProtectorId                         AutoUnlockProtector KeyProtectorType KeyFileName RecoveryPassword      
--------------                         ------------------- ---------------- ----------- ----------------      
{7760E06A-8CAE-476D-B776-2B18793A69E0}                     RecoveryPassword             605869-464398-32475...
{EAE9721D-FB58-4B19-83D4-648E6580AC0A}                               TpmPin                                   

Remove KeyProtector: Interactive
#

Use the following command to remove a Bitlocker protector, you are asked to provide the “KeyProtectorId”:

# Remove existing PIN protector
Remove-BitLockerKeyProtector -MountPoint "C:"

# Shell Output:
cmdlet Remove-BitLockerKeyProtector at command pipeline position 1
Supply values for the following parameters:
KeyProtectorId: {4D776F3E-910C-48A0-8A3D-E8A6F1E43CEB} # Enter your KeyProtector Id


   ComputerName: JKW-W10-01

VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection
                Point                                   Percentage                           Enabled    Status    
----------      ----- ---------- ------------           ---------- ------------              ---------- ----------
OperatingSystem C:         59.38 FullyDecrypted         0          {}                                   Off       

Remove KeyProtector: Command
#

Use the following command the remove a Bitlocker protector and provide the “KeyProtectorId” with the command:

# Remove the RecoveryPassword protector
Remove-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId "{EAE9721D-FB58-4B19-83D4-648E6580AC0A}"