How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1

One of the cool new feature in Windows 7 Ultimate and Enterprise is the ability to encrypt USB devices with a password to protect the data from falling into the wrong hands. One of the problem with this is that if a user were to ever forget the unlock key then they will need to remember where they kept the recovery file or paper print out of the 48 digit recovery key. Now for a consumer this feature this might be fine as you keep can keep the key in a fire proof safe or even a locked filing cabinet but if you are managing this in a corporate environment you might have to keep track of thousands or even ten’s of thousands of these devices to keep track of the recovery key.

Well there is where group policy can be your saviour…. of course!

In Part 1 of this “how to” I am going to show you how to setup the recovery key archiving into Active Directory. In Part 2 I will show you how to use Group Policy with Active Directory Certificate Services to enable a Data Recovery Agent so that all your devices can be recovery using a single EFS recovery agent account.

Part 1

Using group policy you can mandate that all encrypted removable device must first have the recover key stored in Active Directory before they start to encrypt. This ensures that for any USB encrypted devices in your organisation that you will always have the ability to unlock the data on the drive even in case that someone forgets the unlock password.

Now before we begin there are a few pre-requisites that we need to cover to make sure this work.

1. You Active Directory must be running the Windows Server 2003 R2 scheme extensions. But I hear you say “you said that Group Policy Preferences doesn’t need schema changes to work” well yes… this is still true it is not a group policy requirement it is a BitLocker requirement.

2. You should install the “BitLocker Drive Encryption Administration Utilities” with Windows Server 2008 R2 or with the RSAT tools for Windows 7 (see image 1.) on at least one computer in your organisation. This computer can then be used to search for and view the recovery keys if you ever need them. This is a new tool with 2008 R2/Windows 7 and makes it MUCH easier to read the recovery keys than back in the 2003 R2/Vista days.

image

Image 1. Installing “BitLocker Drive Encryption Administration Utilities”

How to configured Group Policy to save the Recovery Key?

Now before I go on I will assume that you are already familiar with Group Policy so all I am going to cover is the key (pardon the pun) policies you need to ensure the recovery keys are backed up to AD DS for all your removable USB storage devices in your organisation.

Step 1. Edit the group policy that you have applied to all your workstations and navigate to Computer > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. Here the two policies you need to enable are “Deny write access to removable drives not protected by BitLocker” and “Choose how BitLocker-protected Removable drives can be recovered” (see Image 2).

image 

Image 2. Removable Data Drives BitLocker Drive Group Policy

Step 2. When you Enable the “Deny write access to removable drives not protected by BitLocker” also tick the “Do not allow write access to devices configured in another organization” option (see Image 3). This setting is important as it will make any non-BitLocker encrypted devices from being written to in your organisation thus bypassing the whole reason to use BitLocker.

image

Image 3. Deny write access to removable drives not protected by BitLocker

Step 3. Now Enable the “Choose how BitLocker-protected Removable drives can be recovered” and make sure that the “Save BitLocker recovery information to AD DS for removable data drives” and the “Do not enable BitLocker until recovery information is stored to AD DS for removable data drives” are both ticked (See image 4.). This setting ensures the computer has successfully saved recovery key into AD before encrypting a USB storage device.

image

Image 4. Choose how BitLocker-protected removable drives can be recovered

You may also want to consider ticking the “Omit recovery option form the BitLocker setup wizard” as this will prevent you users from saving the recovery key manually  which might be desirable if you don’t trust them to store the key in a safe place.

Because of the “Do not enable BitLocker until recovery information is stored to AD DS for removable data drives” option has been ticked if the user tries to encrypt a new USB storage device when not connected to the corporate network then they will get the following error message (see image 5).

image

Image 5. Error saving recovery key

If the user is out of the office they will need to establishing a VPN connection or enable BitLocker on the device the next time they are in the Office. This would not be a problem if you have configured Direct Access but this is a post for another time.

Note: The loop hole to this is that if someone already had a BitLocker to Go encrypted device and plugs it into a computer they will be able to save information to the device. This does not mean the data will not be encrypted its just you wont have the recovery key if they forget the password to that particular device.

To help with this problem you can set the BitLocker identification field on all the computers in the organisation so they will reject all encrypted devices that don’t have the same identification field value. This setting is under Computer > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption called “Provide the unique identifiers for your organization” (see image 6.). This might sound like you can mandate outside memory sticks can’t be used in your organisation but if someone has set the identification field to the same value this would get around option.

image

Image 6. Provide the unique identifiers for your organization

How to recover the BitLocker recovery password in AD?

So you have deployed BitLocker to your organisation and you have told everyone to be careful to remember the passwords but of course your manger has come to you saying that they have forgotten the password for his USB memory stick and it has the only copy of some really important files on it that he has have for a meeting tomorrow.

What do you do?

Step 1. First we need to identify the USB devices Recovery key identifier by plugging it into a computer running Windows 7 Ultimate/Enterprise. You can then find this identifier by clicking on the “I forgot my password” option (see image 7.)

image

Image 7. I forgot my password

Step 2. Then write down the 8 characters of the recovery key identifier (See image 8.)

image

Image 8. Recovery key identifier

Step 3. Now go to the computer that you installed the “BitLocker Recovery Password Viewer” tool that I previously mentioned above launch “Active Directly Users and Computers” MMC snap-in with and account with Domain Admin privileges. Click on the domain name that will have the recovery key saved and then click “Action” and then “Find BitLocker Recovery Password…” (see image 9.).

image  

Image 9. “Find BitLocker Recovery Password…”

Step 4. Now type the first 8 characters you wrote down in step 2. and click “Search” (See Image 10.). This will show you the Recovery Password in the Details pane that you will need to unlock the drive.

image

Image 10. Find BitLocker Recovery Password…”

Step 5. Now go back to the computer you have plugged the USB device into and click on “Type the recovery key” (see image 7.).

Step 6. Now type the 48 digit Recovery Password into the text box and click “Next” (see image 11.)

image

Image 11. Enter your recovery key

Step 7. Click OK and you will now be able to read the required file off this drive (See Image 12.).

image

Image 12. You cannot save file on this drive

Note: If you want to restore the drive back to normal you will need to go to the control panel and go into the “Manage BitLocker” option to “Turn off BitLocker” (see Image 13.) on the device and then go back and select the option to “Turn On BitLocker” again. This will completely reset the recovery key on the device making the one you just recovered totally invalid.

image

Image 13. Control Panel BitLocker Drive Encryption option

Part 2 can now be found here “How to configure Group Policy to use Data Recovery Agent to encrypt “Bitlocker to Go” drives – Part 2

Author: Alan Burchill

Microsoft MVP (Group Policy)

17 thoughts on “How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1

  1. Hi,

    I’m presuming that the line:

    You Active Directory must be running the Windows Server 2003 R2 scheme extensions.

    Should read “2008 R2 extensions??”

    Cheers,

    Jeff.

    1. No…. 2003 R2 introduced the schema extentions to escrow the Bitlocker Keys in AD…. It had to be 2003 R2 as it was the current server OS when Vista was released. Vista had bitlocker as a feature and without the 2003 R2 extention then you would not have been able to store the recovery key in AD.

  2. if you run RSOP.msc on the comptuer you are trying to apply the policy to do you see any of the settings being applied? if not then the issues is probably with your targeting…

  3. i forgot password and dont have recovery key for my disk@bitlocker ..i ws hvng soo imp content in that .so what i need to do ?

  4. Hi Alan, I’m trying to get the Windows 7 BitLocker GPO options in a Windows Server 2003 domain but am only seeing the Vista option. My DC’s are all Windows Server 2003 R2 (schema extension applied), I’ve installed RSAT with SP1 on a domain joined Windows 7 Ent client (as documented in a number of places) but the additional Windows 7 options are not available when editing a GPO from the Windows 7 client, just the Windows Vista options are there.

    Any ideas where to start looking are appreciated.

    Thanks

  5. @djeff I am pretty sure the BitLocker administrator template are ADMX only as they are only for Windows Vista or later… thus they will not appear on Windows XP or 2003 as they are not ADMX aware…

  6. i have recovery key and also password but it did not accept key or not accept password it gives error

    bitlocker drive encryption failed to recover from an abruptly terminated conversion. this could be due to either all conversion logs being corrupted or the media being write-protected

    what i can do plz tell me

  7. We ran into this mess during a Win 7 migration (deleted computer objects) our saving grace was the recycler for AD (actually they were using Quest tools for AD management). We were able to recover the deleted objects along with the needed keys.

Leave a Reply