Securing Windows Server 2008: BitLocker information storage and administration

Aaron Tiensivu explains how to ensure proper administration and storage of BitLocker information in this chapter excerpt.

Service provider takeaway: This section of the chapter excerpt titled "Microsoft Windows Server 2008: Data Protection" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization. The chapter excerpt covers BitLocker administration, configuration and disabling.

Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.

Administration of BitLocker

In a managed Enterprise environment, it can be problematic to allow each user to enable BitLocker by themselves. Not only do you have to add the user to the local administrators group, you also give out the management of recovery passwords and/ or PINs and startup keys. In the real world, users forget their passwords and PINs. So why should this be different with BitLocker recovery information? Here's an example: A user with a laptop decides to use BitLocker to make sure the data is secure even when the laptop is stolen. After enabling BitLocker, the user puts the recovery password printout into the laptop bag...A security nightmare!

One method to act upon such deficiencies is to educate users and increase their awareness so that they get more sensitive for security-related matters. Another approach might be technical. Windows Server 2008 extends well-known techniques and tools to give the administrator control over the BitLocker lifecycle. Group Policies settings were added to control the behavior of BitLocker on client and server systems. Furthermore, the Windows Management Instrumentation (WMI) Interface for BitLocker allows for local and remote management of BitLocker. We will talk about the possibilities of WMI later in this chapter.

Using Group Policy with BitLocker

Group Policy (GPO) in Windows Server 2008 has been extended to provide BitLocker-specific configuration settings. With GPO, the administrator can control BitLocker installation and configuration as well as centralized storage of recovery passwords.

Storing BitLocker and Trusted Platform Modules (TPM) Recovery Information in Active Directory

In conjunction with Group Policy and a downloadable toolkit, Active Directory can be configured to store backup information for Windows BitLocker and the Trusted Platform Module. Recovery information includes the recovery password, the TPM owner password, and the information required to identify to which computers and volumes the recovery information applies. Optionally, you can also save a package containing the actual keys used to encrypt the data as well as the recovery password required to access those keys.

As a best practice, configure Active Directory integration first and then allow BitLocker usage on clients and servers. If you enable BitLocker on clients first, recovery passwords for those computers are not stored in Active Directory, leading to an inconsistent experience in case you have to recover.

Storage of BitLocker Recovery Information in Active Directory

BitLocker recovery information is stored in Active Directory as a child object to the computer object. That is, the computer object acts as the parent container for a recovery object. Each BitLocker object includes the recovery password as well as other recovery information. Multiple recovery objects can exist under each computer account because there can be more than one recovery password for each protected volume.

BitLocker recovery information is stored in objects from type msFVERecoveryInformation. These objects are named after the following scheme:
Object Creation
DateTimeRecovery GUID

For example:


Storage of TPM Information in Active Directory

TPM owner passwords are stored as an attribute of the computer object in Active Directory. During TPM initialization or when the TPM password is changed, the hash of the password is stored in Active Directory in the ms-TPM-OwnerInformation.


Since BitLocker Active Directory backup stores information in Active Directory objects, you need to extend the schema to support the storage of BitLocker-specific data. Schema extensions and scripts for enabling the Active Directory backup functionality are included in a downloadable toolkit from Microsoft. To access the download follow this link: . After extraction, the following sample scripts should help with the implementation:

  • Add-TPMSelfWriteACE.vbs
  • BitLockerTPMSchemaExtension.ldf
  • List-ACEs.vbs
  • Get-TPMOwnerInfo.vbs
  • Get-BitLockerRecoveryInfo.vbs

Extending the Schema

The first step in configuring Active Directory BitLocker backup is extending the Active Directory schema to allow storage of BitLocker specific objects. Before you start, extract the toolkit files to a folder named C:BitLocker-AD.

To extend the Active Directory schema:

1. Logon with an account that is a member of the schema admins group.
2. Click Start, click All Programs, click Accessories, and then click Command Prompt.
3. At the command prompt, type cd /d C:BitLocker-AD.
4. At the command prompt, type ldifde -i -v -f BitLockerTPMSchema Extension.ldf -c "DC=X""distinguished name of your domain" -k -j. Do not forget the period at the end of the command!

Setting Required Permissions for Backing Up TPM Passwords

The second step is to set permission in Active Directory. By default Windows Vista clients can back up BitLocker recovery information in Active Directory. However, to back up the TPM owner password an Access Control Entry (ACE) must be added to the computer object. To add the ACE use the Add-TPMSelfWriteACE.vbs script from the toolkit. To add the ACE entry:

1. Log on with a domain administrator account.
2. Click Start, click All Programs, click Accessories, and then click Command Prompt.
3. At the command prompt type cscript Add-TPMSelf WriteACE.vbs.

The script will add a single ACE to the top-level domain object in your domain. The ACE is inherited by all computer child objects in Active Directory.

Enabling Group Policy Settings for BitLocker and TPM Active Directory Backup

Here are the steps to follow to configure Group Policies for clients and servers to use BitLocker Active Directory Backup.

1. Log on with a domain administrator to any Domain Controller.
2. Click Start, click All Programs, click Administrative Tools, and then click Group Policy Management.
3. In the Group Policy Management Console, expand the forest tree down to the domain level.
4. Right-click the Default Domain Policy and select Edit.
5. In the Group Policy Management Editor, open Computer Configuration, open Administrative Templates, open Windows Components, and then open BitLocker Drive Encryption.
6. In the right pane, double-click Turn on BitLocker backup to Active Directory.
7. Select the Enabled option, select Require BitLocker backup to AD DS, and click OK.
To further enable storage of TPM recovery information:
8. Open Computer Configuration, open Administrative Templates, open System, and then open Trusted Platform Module Services.
9. In the right pane, double-click Turn on TPM backup to Active Directory.
10. Select the Enabled option, select Require TPM backup to AD DS, and click OK.

In this example, we use the Default Domain Policy to configure Active Directory backup for BitLocker and TPM recovery information. However, in a real-world scenario you would create a new GPO that contains only BitLocker specific settings!

Recovering Data

BitLocker will lock the computer when an encryption key is not available. Likely causes for this can be:

  • Inserting the BitLocker-protected drive into a new computer
  • Replacing the computer motherboard
  • Performing maintenance operation on the TPM (such as clearing or disabling)
  • Updating the BIOS
  • Upgrading critical early boot components that cause system integrity validation to fail
  • Forgetting the PIN when PIN authentication has been enabled
  • Losing the USB flash drive containing the startup key when startup key authentication has been enabled

When TPM fails to check the integrity of startup components, it will lock the computer at a very early stage before the operating system starts. When locked, the system enters recovery mode. You can use a USB flash drive with the recovery password stored on it or use the keyboard to enter the recovery password manually. In recovery mode, the keyboard assignment is somewhat different: you use functions keys to enter digits. F1 through F9 represents digits 1 trough 9, F10 represents 0.

Testing Bitlocker Data Recovery

To test BitLocker for data recovery, follow these steps:

1. Log on as an administrator.
2. Click Start, click Run, type tpm.msc in the open box, and click OK. The TPM Management Console is displayed.
3. Under Actions, click Turn TPM Off.
4. Provide the TPM owner password, if required.
5. When the Status panel in the TPM Management on Local Computer task panel reads "Your TPM is off and ownership of the TPM has been taken," close that task panel.
6. Click the Safely Remove Hardware icon in the notification area to remove the USB flash drive from the system.
7. Restart your computer. When you restart the computer, you will be prompted for the recovery password, because the startup configuration has changed since you encrypted the volume.
8. The BitLocker Drive Encryption Recovery Console should appear.
9. Insert your USB flash drive and press ESC. The computer will restart automatically.
10. The system should boot normally.

Disabling BitLocker

If you want to turn off BitLocker, you need to decide if you want to disable BitLocker or decrypt the volume. Disabling BitLocker allows for TPM maintenance while the data is kept encrypted. Decrypting the volume means that the entire volume will be decrypted. Disabling BitLocker is supported only on operating system volumes and not on data volumes.

To turn off BitLocker Drive Encryption:

1. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
2. On the BitLocker Drive Encryption page, find the volume on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker Drive Encryption.
3. From the What level of decryption do you want dialog box, click either Disable BitLocker Drive Encryption or Decrypt the volume as needed.

About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.

Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
  Securing Windows Server 2008: BitLocker data protection basics
  Securing Windows Server 2008: BitLocker authentication and configuration
  Securing Windows Server 2008: Installing and turning on BitLocker
  Securing Windows Server 2008: BitLocker information storage and administration

Dig Deeper on Storage Backup and Disaster Recovery Services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.