One of the cool new feature in Windows 7 Ultimate and Enterprise is the ability to encrypt USB devices with a password to protect the data from falling into the wrong hands. One of the problem with this is that if a user were to ever forget the unlock key then they will need to remember where they kept the recovery file or paper print out of the 48 digit recovery key. Now for a consumer this feature this might be fine as you keep can keep the key in a fire proof safe or even a locked filing cabinet but if you are managing this in a corporate environment you might have to keep track of thousands or even tenâ€™s of thousands of these devices to keep track of the recovery key.
Well there is where group policy can be your saviourâ€¦. of course!
In Part 1 of this â€œhow toâ€ I am going to show you how to setup the recovery key archiving into Active Directory. In Part 2 I will show you how to use Group Policy with Active Directory Certificate Services to enable a Data Recovery Agent so that all your devices can be recovery using a single EFS recovery agent account.
Using group policy you can mandate that all encrypted removable device must first have the recover key stored in Active Directory before they start to encrypt. This ensures that for any USB encrypted devices in your organisation that you will always have the ability to unlock the data on the drive even in case that someone forgets the unlock password.
Now before we begin there are a few pre-requisites that we need to cover to make sure this work.
1. You Active Directory must be running the Windows Server 2003 R2 scheme extensions. But I hear you say â€œyou said that Group Policy Preferences doesn’t need schema changes to workâ€ well yesâ€¦ this is still true it is not a group policy requirement it is a BitLocker requirement.
2. You should install the â€œBitLocker Drive Encryption Administration Utilitiesâ€ with Windows Server 2008 R2 or with the RSAT tools for Windows 7 (see image 1.) on at least one computer in your organisation. This computer can then be used to search for and view the recovery keys if you ever need them. This is a new tool with 2008 R2/Windows 7 and makes it MUCH easier to read the recovery keys than back in the 2003 R2/Vista days.
Image 1. Installing â€œBitLocker Drive Encryption Administration Utilitiesâ€
How to configured Group Policy to save the Recovery Key?
Now before I go on I will assume that you are already familiar with Group Policy so all I am going to cover is the key (pardon the pun) policies you need to ensure the recovery keys are backed up to AD DS for all your removable USB storage devices in your organisation.
Step 1. Edit the group policy that you have applied to all your workstations and navigate to Computer > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. Here the two policies you need to enable are â€œDeny write access to removable drives not protected by BitLockerâ€ and â€œChoose how BitLocker-protected Removable drives can be recoveredâ€ (see Image 2).
Image 2. Removable Data Drives BitLocker Drive Group Policy
Step 2. When you Enable the â€œDeny write access to removable drives not protected by BitLockerâ€ also tick the â€œDo not allow write access to devices configured in another organizationâ€ option (see Image 3). This setting is important as it will make any non-BitLocker encrypted devices from being written to in your organisation thus bypassing the whole reason to use BitLocker.
Image 3. Deny write access to removable drives not protected by BitLocker
Step 3. Now Enable the â€œChoose how BitLocker-protected Removable drives can be recoveredâ€ and make sure that the â€œSave BitLocker recovery information to AD DS for removable data drivesâ€ and the â€œDo not enable BitLocker until recovery information is stored to AD DS for removable data drivesâ€ are both ticked (See image 4.). This setting ensures the computer has successfully saved recovery key into AD before encrypting a USB storage device.
Image 4. Choose how BitLocker-protected removable drives can be recovered
You may also want to consider ticking the â€œOmit recovery option form the BitLocker setup wizardâ€ as this will prevent you users from saving the recovery key manuallyÂ which might be desirable if you don’t trust them to store the key in a safe place.
Because of the â€œDo not enable BitLocker until recovery information is stored to AD DS for removable data drivesâ€ option has been ticked if the user tries to encrypt a new USB storage device when not connected to the corporate network then they will get the following error message (see image 5).
Image 5. Error saving recovery key
If the user is out of the office they will need to establishing a VPN connection or enable BitLocker on the device the next time they are in the Office. This would not be a problem if you have configured Direct Access but this is a post for another time.
Note: The loop hole to this is that if someone already had a BitLocker to Go encrypted device and plugs it into a computer they will be able to save information to the device. This does not mean the data will not be encrypted its just you wont have the recovery key if they forget the password to that particular device.
To help with this problem you can set the BitLocker identification field on all the computers in the organisation so they will reject all encrypted devices that don’t have the same identification field value. This setting is under Computer > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption called â€œProvide the unique identifiers for your organizationâ€ (see image 6.). This might sound like you can mandate outside memory sticks canâ€™t be used in your organisation but if someone has set the identification field to the same value this would get around option.
Image 6. Provide the unique identifiers for your organization
How to recover the BitLocker recovery password in AD?
So you have deployed BitLocker to your organisation and you have told everyone to be careful to remember the passwords but of course your manger has come to you saying that they have forgotten the password for his USB memory stick and it has the only copy of some really important files on it that he has have for a meeting tomorrow.
What do you do?
Step 1. First we need to identify the USB devices Recovery key identifier by plugging it into a computer running Windows 7 Ultimate/Enterprise. You can then find this identifier by clicking on the â€œI forgot my passwordâ€ option (see image 7.)
Image 7. I forgot my password
Step 2. Then write down the 8 characters of the recovery key identifier (See image 8.)
Image 8. Recovery key identifier
Step 3. Now go to the computer that you installed the â€œBitLocker Recovery Password Viewerâ€ tool that I previously mentioned above launch â€œActive Directly Users and Computersâ€ MMC snap-in with and account with Domain Admin privileges. Click on the domain name that will have the recovery key saved and then click â€œActionâ€ and then â€œFind BitLocker Recovery Passwordâ€¦â€ (see image 9.).
Image 9. “Find BitLocker Recovery Passwordâ€¦â€
Step 4. Now type the first 8 characters you wrote down in step 2. and click â€œSearchâ€ (See Image 10.). This will show you the Recovery Password in the Details pane that you will need to unlock the drive.
Image 10. Find BitLocker Recovery Passwordâ€¦â€
Step 5. Now go back to the computer you have plugged the USB device into and click on â€œType the recovery keyâ€ (see image 7.).
Step 6. Now type the 48 digit Recovery Password into the text box and click “Nextâ€ (see image 11.)
Image 11. Enter your recovery key
Step 7. Click OK and you will now be able to read the required file off this drive (See Image 12.).
Image 12. You cannot save file on this drive
Note: If you want to restore the drive back to normal you will need to go to the control panel and go into the â€œManage BitLockerâ€ option to â€œTurn off BitLockerâ€ (see Image 13.) on the device and then go back and select the option to â€œTurn On BitLockerâ€ again. This will completely reset the recovery key on the device making the one you just recovered totally invalid.
Image 13. Control Panel BitLocker Drive Encryption option
Part 2 can now be found here “How to configure Group Policy to use Data Recovery Agent to encrypt â€œBitlocker to Goâ€ drives â€“ Part 2“