How to backup recovery information in AD after BitLocker is turned ON in Windows 7

Hello,

My name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to backup recovery information in Active Directory (AD) after Bitlocker is turned ON in Windows 7 and above.”

In this blog, I will try to answer a common question asked to us often, ‘How do I save the bitlocker recovery information to Active Directory after bitlocker is enabled?’.

This situation can arise when any of the following conditions are true, but is also not limited to this list:

  1. The machine was bitlocker’ed prior to domain join.
  2. The machine was not connected to the network when bitlocker was enabled, hence the recovery information couldn’t be saved to AD-DS.
  3. Group policy setting to save the recovery information to AD was not enabled at the time of encryption.

To solve this situation, you can use manage-bde.exe command from the client machine to save the recovery information in AD. You do not need to decrypt and re-encrypt the drive to store the recovery information in AD.

Before you use the command line, verify that the client machine has received the group policy setting to save the information to AD. You could review the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE on the client machine for below values:

  • To allow backup of recovery information for operating system drives to AD, the value OSActiveDirectoryBackup should be set to 1.
  • To allow backup of recovery information for fixed data drives to AD, the value FDVActiveDirectoryBackup should be set to 1.
  • To allow backup of recovery information for removable data drives to AD, the value RDVActiveDirectoryBackup should be set to 1.

If these values are not set, you won’t be able to backup the recovery information of respective drive type to AD. In that case verify that the group policy to backup information to AD is configured as per the blog (https://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx). Also, ensure that bitlocker group policies are actually applied to the OU, the client is a member of, and the group policy has replicated to the domain controller from which the client receives group policy.

After the group policy is successfully applied on the client machine, open an elevated command prompt and run the below command.


Note: You require local admin rights to run manage-bde commands.**

STEP 1: Get the ID for the numerical password protector of the volume, in the example below we are using the C: drive:

manage-bde -protectors -get c:

Example:

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: [Old Win7]
All Key Protectors
    External Key:
      ID: {F12ADB2E-22D5-4420-980C-851407E9EB30}
      External Key File Name:
        F12ADB2E-22D5-4420-980C-851407E9EB30.BEK

    Numerical Password:
      ID: {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
      Password:
        224631-534171-438834-445973-130867-430507-680922-709896

    TPM And PIN:
      ID: {EBAFC4D6-D044-4AFB-84E3-26E435067AA5}

In the above result, you would find an ID and Password for Numerical Password protector.

STEP 2: Use the numerical password protector’s ID from STEP 1 to backup recovery information to AD

In the below command, replace the GUID after the -id with the ID of Numerical Password protector.

manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.

You should now be able to view the recovery information for the volume in the active directory.

For more information on active directory backup of bitlokcer recovery information refer to the TechNet article: https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

In case you have to backup information for multiple machines, you may use the attached sample VBScript which automates backup of recovery information for all encrypted volumes, on the machine.

You may execute the attached script from an elevated command window.

For Example: cscript BDEAdBackup.vbs

This script writes logging information to C:\WINDOWS\TEMP\BDEAdBackup.log file.

Disclaimer:**

© 2013 Microsoft Corporation. All rights reserved. Sample script provided in this blog is not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. **

We hope this blog helped you understand and address the situation. 

 

BDEAdBackup.vbs