Bitlocker : store recovery password in Active Directory


Windows Server 2019

Presentation

In this tutorial, we will see how to store the Bitlocker recovery password in the Active Directrory.

The recovery password is requested when the user forgets his pin code or when he wishes to access the hard disk on another computer when the TPM module has been used.

Viewing passwords is done using the Active Directory Users and Computers console.

Prerequisites

  • Use an Active Directory environment
  • The schema must be in version 40 minimum.

The schema with Windows Server 2008 is in version 44.

Configure password recording in Active Directory

Install functionality to view recovery passwords in Active Directory

In order to be able to view passwords from the Active Directory Users and Computers console, it is necessary to add functionality on one or more servers where the console is installed (generally on domain controllers).

From Server Manager, click Add Roles and Features 1.

Server manager

When the wizard is launched, click on Next 1.

Select the Installation based on a role or a feature 1 and click on Next 2.

Choose the server 1 then click on Next 2.

Choose the server

Skip the list of roles by clicking Next 1.

List of roles

Check the Bitlocker Recovery Password Viewer 1 feature found in : Administrative Tools / Bitlocker Encryption Administration Utility. Then click on Next 2.

Bitlocker Recovery Password Viewer

Confirm the installation by clicking on the Install 1 button.

Confirm installation

Wait during installation …

Once the installation is complete, exit the wizard by clicking Close 1.

Installation terminée

This feature adds a (Bitlocker Recovery) tab to Computer objects.

Configuring Group Policy (GPO) for Bitlocker Linking with Active Directory

In order for the Bitlocker recovery password to be saved in the Active Directory, it is necessary to configure a policy which will configure the functionality on the computer for the password stored in the AD when enabling encryption with BitLocker.

The settings that are configured in the policy can be found in Computer Configuration.

From the Group Policy Management console, click on the OU 1 where the settings must be applied and click on Create a GPO in this area, and link it here 2.

New group strategy

Name the group policy 1 and click OK 2.

Name of policy

Right click on the strategy 1 which has just been created then click on Modify 2.

Edit policy

Change the setting Select the method for recovering operating system drives protected by Bitlocker 1, which is located in Computer configuration / Policies / Administrative Templates / Windows Components / BitLocker drive encryption / operating system.

Sélectionner la méthode de récupération des lecteurs systèmes d'exploitation protégés par Bitlocker

Activate 1 the parameter and configure options 2 as on the screenshot and click on Apply 3 and OK 4.

OptionExplanation
Save BitLocker recovery information in Active Directory Domain Services for operating system drivesThis option enables the recording of recovery passwords in Active Directory.
Remove the configuration options from the BitLocker Installation WizardThis option removes the configuration options for activating Bitlocker.
Activate BitLocker only after recovery information is stored in Active Directory Domain Services for operating system drivesCette option permet de s’assurer que le mot de passe de restauration est bien enregistré dans l’Active Directrory avant l’activation de Bitlocker.

Close the Group Policy Editor.

Overview of strategy parameters:

Paramètres de la stratégie pour Bitlocker

Validate the configuration

On a computer where Bitlocker is not configured, open the file explorer and right-click on the system disk 1 and click on Activate BitLocker 2.

Wait while BitLocker initializes …

Choose how the disk space is encrypted 1 and click on Next 2.

Configure the encryption mode 1 then click Next 2.

Click on Start encryption 1.

Wait during encryption …

Meanwhile, go to the computer object on the Active Directory Users and Computers console, the recovery password is available on the BitLocker Recovery tab.

On the computer, once the encryption is complete, click on Close 1.

Conclusion

By storing recovery passwords in Active Directory, you can centralize them.




Leave a Comment