In an Active Directory environment the recovery keys can be stored automatically in the Computer Account. These keys can only be read by Administrators of the computer object in Active Directory so remain private.
You can use Certificates with BitLocker instead of recovery keys but my current environment does not have a PKI infrastructure or AD Certificate Services so I haven't included this in this blog.
Before you start using BitLocker and backing up Recovery Keys in an Active Directory environment you must complete all the steps in "BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory" Updated: June 21, 2008 which I found at http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx
This can be summarized below:-
- Update AD Forest Schema
- Run a Script in each domain in the forest to update computer objects
(runs against AD, not each computer)
- Configure AD Group Policies to enforce backing up of Recovery Password and Keys
to the Computer Account in AD.
What the guide above doesn't tell you is that in addition to the Active Directory Group Policies above, the following Local Group Policies must be configured on each Windows 7 computer.You must Enable the Bitlocker Policies for each BitLocker encrytion scenario used on the Windows 7 computer.
Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption
- Configure how BitLocker-protected operating system drives can be recovered
- Configure how BitLocker-protected removable data drives can be recovered
- Configure how BitLocker-protected fixed data drives can be recovered
- Configure how BitLocker-protected drives can be recovered (Windows Server 2008 and Vista).
Below is an example Local Group Policy for BitLocker on the Operating System Drive.
Next you can enable BitLocker and the keys will automatically be backed up to AD, assuming connectivity to an Active Directory Server exists. The above policy settings will not allow BitLocker to be enabled unless it successfully backed up in Active Directory.
Important - If BitLocker is already enabled before these Group policies are enabled then the Recovery Keys are not backed up to AD!!
To manually backup to AD,you will need to use the following command from each computer, with Local Administrator rights.
manage-bde -protectors -adbackup C: -id {Full recovery key identification}
To recovery the backup recover key for a computer you can use:-
Get-BitLockerRecoveryInfo.vbs
This script is provided by Microsoft, which can be downloaded from here :-
http://go.microsoft.com/fwlink/?LinkId=78953
To use this script open a command prompt and enter and enter the following syntax:-
Get-BitLockerRecoveryInfo computername
You will need Administrator permissions on the computer account in AD to gain access to the BitLocker recovery key.
No comments:
Post a Comment