BitLocker - encryption of system disks

For basic information about encryption, see the article A general introduction to data encryption.

In this article, we primarily focus on BitLocker on the Windows 10 operating system (there are no major changes in previous versions, so it can mostly be applied to them as well) and encryption of the disk partition with the operating system (for non-system partitions or external media, there are fewer restrictions, so it's simpler).

The article is relatively long, some people may be interested in only certain parts. For an overview, here's a brief content:

• TPM - Trusted Platform Module
  • TPM identification and version
  • Upgrade or conversion of TPM on HP devices
• Microsoft BitLocker
  • BitLocker management tools
  • Requirements for BitLocker
  • Disk partitions - Partition / Volume
  • Disk encryption - turning on BitLocker
  • Problems with turning on BitLocker
• Unlocking BitLocker - encryption keys and authentication
  • Encryption keys and key protectors
  • Authentication methods
  • Allowed authentication methods
  • BitLocker without TPM chip
  • Changing authentication method - Protector
  • Other BitLocker settings using policies
• Storing BitLocker recovery keys in Active Directory
  • Group Policy for setting information storage in AD DS
  • Information stored in AD DS and its display
  • Additional storage of information in AD DS
• Problem with policies when encrypting different types of disks
  • Settings using Group Policy
  • Problem with fixed and removable disks
• Recovery, or emergency situations
  • Forgotten PIN and BitLocker Recovery
  • Connecting the disk to another computer

TPM - Trusted Platform Module

Currently, many laptops and computers are equipped with a TPM chip. The current version is 2.0 (supported from Windows 8.1, Win7SP1 hotfix), older devices may have version 1.2 (supported from Windows Vista) or 1.3. TPM is a secure cryptoprocessor that supports secure generation and storage of cryptographic keys. TPM has its unique RSA key. It creates hashes of HW and SW configuration, so it recognizes if a change has occurred. BitLocker uses it to protect keys used to encrypt hard drives and provides integrity verification for a trusted boot path (system boot). TPM will provide encryption keys only for the operating system loader if its files are not modified. It can also be used for other purposes.

On the internet, we can find various articles that describe that TPM does not provide sufficient security, so some disk encryption applications don't even support it. Microsoft BitLocker primarily uses it, although it's possible to operate encryption even without a TPM chip. If we have a TPM chip, I consider it appropriate to use it.

TPM identification and version

Whether our computer is equipped with a TPM chip can be checked in the BIOS or more easily in Windows in the Device Manager, but it must be enabled in the BIOS.

Note: Also, when we start the disk encryption wizard (turning on BitLocker), TPM is tested and its initialization is performed if necessary.

Another option is to use the TPM chip management application, which is part of Windows. It's the Snap-in tpm.msc.

If we don't have TPM, it will display the information Compatible TPM cannot be found. If we do, it can be in one of three states:

• The TPM is not ready for use.
• The TPM is ready for use, with reduced functionality.
• The TPM is ready for use.

Note: In Windows 10, TPM initialization (and ownership taking) should be done automatically if there's no problem.

For TPM management, we can also use certain TPM Cmdlets in Windows PowerShell. There's for example the cmdlet Get-Tpm, which lists information about TPM locking when PINs are entered incorrectly.

Interesting information about TPM can be displayed using the command

TpmTool GetDeviceInformation

Upgrade or conversion of TPM on HP devices

HP has available a tool HP TPM Configuration Utility, which together with the corresponding firmware file allows upgrading the TPM chip version or converting from 1.2 to 2.0 and vice versa from 2.0 to 1.2. The latest version SP78910 contains firmware 7.61, we can find it in the article Advisory: HP Desktops, Notebooks, and Workstations - HP TPM Configuration Utility With Windows 10 Anniversary Edition Compatible TPM 2.0 Firmware. After installation, the tool is unpacked into (by default) the folder c:\SWsetup\SP78910. It must be called from the command line (admin rights) with the appropriate firmware file (the easiest is to copy it to the same folder as the exe). Example below (there are some errors in the official documentation).

tpmconfig64 -f TPM12_6.40.190.0_to_TPM20_7.61.2785.0.BIN

Microsoft BitLocker

BitLocker is a disk encryption technology that is part of Microsoft's client and server operating systems. It appeared with Windows Vista and Windows Server 2008. On server OS, it's part of all editions, on client Windows 7 and 8 it's the Enterprise and Ultimate editions, in Windows 10 the Pro and Enterprise editions.

BitLocker allows encrypting (Full Disk Encryption) entire system (Operating System Drives) and non-system (Fixed Data Drives) partitions, referred to as BitLocker Drive Encryption, or removable data media (Removable Data Drives - USB Flash drives, external drives, SD cards, etc.), which is BitLocker To Go.

It uses, as an encryption algorithm, Advanced Encryption Standard (AES) with a key length of 128 or 256 bits (set using Group Policy). Up to Windows 10 version 1511, a more secure algorithm XTS-AES was added.

Microsoft currently recommends, for using BitLocker on a client station, to have the Windows 10 operating system, an SSD disk and a TPM 2.0 chip. I'll immediately add from practice, install the latest BIOS version and have it turned on in UEFI mode.

Official documentation

• BitLocker - Windows 10
• BitLocker Overview - Windows 8
• BitLocker Drive Encryption Technical Overview - Windows Vista
• BitLocker Frequently Asked Questions (FAQ)
• Trusted Platform Module

BitLocker management tools

In Windows 10, which we're discussing here in connection with BitLocker technology, we have the following tools available:

• BitLocker Drive Encryption - graphical tool for turning on/off disk encryption and basic settings, we can find it under Control Panel
• manage-bde - command line tool that offers more options than the graphical interface
• repair-bde - command line tool used to recover encrypted data on a damaged disk (uses Key Packages)
• BitLocker Module - a series of PowerShell cmdlets, for example Enable-BitLocker and Get-BitLockerVolume

Requirements for BitLocker

There aren't many requirements for operating BitLocker. In many cases, we simply turn it on and use it. But there are a few conditions here.

• it's recommended to have a TPM chip, but alternatively we can use a USB Flash drive (enabled using Group Policy) or a password
• BitLocker doesn't support dynamic disks (Dynamic Disk), but only basic disks (Basic Disk)
• the disk must have a special System Partition (see below), so we must have at least two partitions
• the system partition (OS and active system partition) must be formatted with NTFS (others can be FAT)
• we must have administrator rights (regular users can only encrypt removable media)

Disk partitions - Partition / Volume

During a standard installation on an empty disk, Windows automatically creates the necessary partitions. What exact partitions are created depends on the version of the operating system, and whether we're using MBR or GPT. If the necessary partition is not present in the system, the BitLocker wizard will attempt to create it.

For system booting, we must have a system partition (system partition / boot partition), typically hidden, which contains the boot files. This partition must not be encrypted, and therefore must be a different partition than the operating system partition (usually assigned the letter C). For Legacy BIOS it must be formatted with NTFS, for UEFI with FAT32. Its size should be at least 350 MB (but my system created 100 MB, which is also mentioned in the disk partition documentation). Official information Windows 7 - Understanding Disk Partitions, Windows 10 - Hard Drives and Partitions.

List of Section Types:

• EFI System Partition (ESP) - a system partition for booting, if we use UEFI and GPT, at least 100 MB, FAT32, contains NTLDR, HAL, Boot.txt and other files for system startup
• System Reserved (Active System Partition) - a system partition for booting, if we use Legacy BIOS with MBR, at least 100 MB, NTFS, contains Boot Manager (bootmgr), Boot Configuration Data (BCD) and startup files
• Microsoft Reserved Partition (MSR) - MS recommends it for each GPT disk for disk management, on Windows 10 it has a size of 16 MB, it is not visible in disk management (only using diskpart)
• Recovery Partition (WinRE Partition) - here the image of Windows Recovery Environment tools (winre.wim, uses WinPE) is stored, which starts if the OS cannot start due to an error, it contains tools for working with encrypted BitLocker disks, the partition must not be encrypted, its size is at least 300 MB (standard 450 MB)
• OS Partition (Windows Partition) - contains the operating system (standard Windows folder), at least 20 GB, NTFS
• Data Partition - optional additional partitions for data

Note: Special partitions (such as System and Recovery) do not have a disk letter assigned, but using diskpart and the assign command, we can assign it and look at their contents.

WinRE - Windows Recovery Environment

We may encounter problems with recovery tools. If we don't have them on a separate volume. The tools can be located (the order is according to the recommended use):

• special Recovery Partition
• system partition System Reserved or EFI System Partition
• OS partition with Windows, folder C:\Recovery or C:\Windows\System32\Recovery

If the system during installation does not have a special partition available, or there is not enough space on it (currently 350 to 500 MB is required depending on languages, etc.), it will install the tools on the disk along with the OS. We can use a command line to find out if WinRE is enabled and where it is stored.

C:\>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:

   Windows RE status:         Enabled
   Windows RE location:       \\?\GLOBALROOT\device\harddisk0\partition2\Recovery\WindowsRE
   Boot Configuration Data (BCD) identifier: ff771aa2-2581-11e6-a0e4-c3c0b5456bec
   Recovery image location:
   Recovery image index:      0
   Custom image location:
   Custom image index:        0

REAGENTC.EXE: Operation Successful.

Alternatively, we can enable (or disable) WinRE.

C:\>reagentc /enable
REAGENTC.EXE: Operation Successful.

However, if BitLocker is enabled on the system drive and WinRE should be located on it, we will get an error when enabling it.

REAGENTC.EXE: Windows RE cannot be enabled on a volume with BitLocker Drive Encryption enabled.

Disk Encryption - Enabling BitLocker

If there are no problems, enabling and using the BitLocker function is simple and intuitive. The following steps also show various special states that in the ideal case will not occur (so we won't encounter a series of steps).

• we launch the graphical tool BitLocker Drive Encryption

• next to the disk we want to encrypt (here we're dealing with the system disk C), we click Turn on BitLocker
• (we can also right-click on the disk in File Explorer and select Turn on BitLocker)
• a wizard starts, which first checks if the system meets the given requirements (and possibly performs certain necessary actions, such as enabling TPM - the second image shows this)

• another possibility is that it detects a problem with the disk. In this case, WinRE is not located on a special partition, but is on the OS disk C (so after encryption, the Recovery Environment tools would not be available). The wizard wants to try to move WinRE to the System Reserved partition, but it fails (there is not enough free space of 350 MB required). It automatically disables WinRE and only informs us.

• the next step will only appear if we modify the Group Policy settings and the individual items depend on the set values (described in detail later in the chapter Allowed Authentication Methods). We choose the disk unlock (authentication) method. The first image shows the options with the TPM chip, the second without TPM.

• we choose where the recovery key (which we can use in case of problems, for example if we had to connect the disk to another computer and did not have the keys in the TPM) will be stored, the offered options depend on various circumstances (for example, if the computer is not in a domain, saving to a Microsoft account is offered)

Note: For some time I was quite confused by a certain behavior that I couldn't find described anywhere. Apparently it's all because in various Microsoft dialogs they only use the term Recovery Key (and don't distinguish between Recovery Password and Recovery Key). If we choose to print or save to a file, the textual Recovery Password is used. If we choose a USB flash drive, both are saved to two files.

• we choose whether the entire disk should be encrypted (including empty space where deleted data may be) or only the currently used part (the rest is encrypted when new data is saved)

Note: Encrypting the entire 250 GB SSD disk on a new powerful laptop took 1:24 hours. Encrypting only the used part of the disk (newly installed OS) took 8 minutes.

• from Windows 10 version 1511 we can choose to use the new encryption algorithm XTS-AES

• in the last step it is good to choose to perform a system check (it tests the work with keys in the TPM and other things), otherwise disk encryption will start immediately and in case of any complications we may not be able to decrypt it

• finally, a restart is required

If everything is fine, after the restart no information will be displayed and disk encryption will start running in the background. We can work with the computer in a standard way. To see how the encryption is progressing, we can use a command line or a PowerShell cmdlet (the commands must be run as administrator).

Note: In some cases, an icon appeared in the notification area, which when expanded showed the progress of the encryption.

C:\Windows\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.10011
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]

  Size:                 237,92 GB
  BitLocker Version:    2.0
  Conversion Status:    Encryption in Progress
  Percentage Encrypted: 41,3%
  Encryption Method:    XTS-AES 128
  Protection Status:    Protection Off
  Lock Status:          Unlocked
  Identification Field: Unknown
  Key Protectors:
    TPM
    Numerical Password

PS C:\Windows\system32> Get-BitLockerVolume
ComputerName: BITLOCKER-TEST

VolumeType      Mount CapacityGB VolumeStatus          Encryption KeyProtector            AutoUnlock Protection
Point                                                  Percentage                         Enabled    Status
----------      ----- ---------- ------------          ---------- ------------            ---------- ----------
OperatingSystem C:        237,92 EncryptionInProgress  43         {Tpm, RecoveryPassword}            Off

We can also look at the BitLocker Drive Encryption, where we can see if encryption is in progress or has been completed. Various configuration options also appear here (depending on many circumstances).

Problems with Enabling BitLocker

During testing, I encountered a problem that is not very well described on the Internet. The BitLocker setup wizard went through without any problems, at the end a restart was performed to perform a system check. After starting the system, an error message was displayed.

Bitlocker could not be enabled. The Bitlocker Encryption key cannot be obtained from the Trusted Platform Module (TPM).

Related information was displayed in the Snap-in tpm.msc`, where the status was shown as `The TPM is ready for use, with reduced functionality.

The first step is recommended to install the latest BIOS version, because it often can fix operations with the TPM chip. In this case, nothing changed.

Microsoft in its article View status, clear, or troubleshoot the TPM (where there is also a number of other useful information) states that if the TPM status is with reduced functionality, the TPM keys should be cleared. This didn't help either (on another computer, this problem was solved this way).

The problem was ultimately that the computer had a TPM 2.0 chip and the BIOS was running in Legacy mode. This is also related to the fact that the system disk had a partitioning scheme of type MBR (Master Boot Record). I found a mention for example TPM is ready for use, with reduced functionality message when the BIOS is in legacy mode with TPM 2.0, which is about server OSes, but apparently the same applies to client OSes as well.

For the TPM 2.0 to work properly, the system BIOS must be in UEFI (Unified Extensible Firmware Interface) mode and the TPM and Secure Boot options must be enabled in the settings. UEFI uses GPT (GUID Partition Table) for disks.

One option is to perform a downgrade of TPM to version 1.2. Or switch the BIOS to UEFI mode, which will require changing the partition from MBR to GPT. Until recently, from Microsoft's perspective, this meant reinstalling the operating system. New to Windows 10 version 1703 is the command line tool MBR2GPT.EXE, which can convert the system disk to GPT (without data loss). Subsequently, it is necessary to switch the BIOS to UEFI to support GPT and allow the system to boot.

To find out in which mode the BIOS is, we can use the msinfo32.exe tool, where the BIOS Mode item will display either UEFI or Legacy.

There are a number of dependencies, simplified summary. Legacy BIOS uses MBR, UEFI uses GPT. Windows supports GPT on the boot disk from 64-bit Windows Vista or 32-bit Windows 8 and up, and requires UEFI. TPM 1.2 is supported from Windows Vista and TPM 2.0 from Windows 8.1, but for Windows 7 SP1 there is a hotfix available that adds support. TPM 2.0 requires UEFI and Secure Boot.

Unlocking BitLocker - Encryption Keys and Authentication

The disk is encrypted and now we could start thinking about how the data is secured and how we can access it.

To work with data on an encrypted (encrypted) disk (for example, to start the operating system), we need to decrypt it. Microsoft says we perform a unlock (unlock) of the BitLocker volume. A certain form of authentication (BitLocker Authentication Method) is used to unlock.

Encryption Keys and Key Protectors

BitLocker uses a variety of keys. The disk (actual data) is encrypted using the Full Volume Encryption Key (FVEK), which is encrypted using the Volume Master Key (VMK) and is protected by some method for protecting encryption keys, which is referred to as BitLocker Key Protectors. FVEK and VMK are stored on the encrypted disk in two locations, they are always stored encrypted, and can be read by the boot manager. This chaining allows changing the keys without having to re-encrypt the entire disk. The options for Key Protectors are:

• TPM (Trusted Platform Module) - hardware device for storing encryption keys
• PIN (Personal Identification Number) - numeric code (4, new 6, up to 20 digits), can only be used together with TPM
• Enhanced PIN - alphanumeric code, can only be used together with TPM
• Startup key - encryption key stored on a removable medium, can be used alone or together with TPM
• Recovery password - 48-digit code that can be used to unlock the volume in Recovery mode (if the digits cannot be entered, the F1-F10 keys can be used)
• Recovery key - encryption key stored on a removable medium, can be used to unlock the disk
• Key Package - not a Key Protector, but a bundle of keys that can be used to decrypt data on a damaged disk, protected by Recovery password

Note: These are the options that apply to the system disk. For other hard disks or removable media, different options may apply. For example, we can use certificate-based unlock on a smart card.

Each Key Protector we use (we can set several at once on an encrypted disk, then unlock the disk with any of them, but only certain combinations are allowed) has its own ID, by which we can uniquely identify it.

Recovery Password is either printed as a numeric code or saved to a text file. It has a standard name that includes its ID BitLocker Recovery Key B36838F0-D01B-4427-8607-D438FB725BB5.TXT. Its content is primarily a numeric code. The manage-bde tool refers to it as a Numerical Password. Example file content:

BitLocker Drive Encryption recovery key

To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.

Identifier:
       B36838F0-D01B-4427-8607-D438FB725BB5

If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.

Recovery Key:
       180092-326667-085987-089089-423016-163515-262691-143924


If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
Try another recovery key, or refer to https://go.microsoft.com/fwlink/?LinkID=260589 for additional assistance.

Startup Key is stored in a hidden binary file with the BEK extension. The name is its ID, e.g. 6F3C8360-046A-4F19-9DAF-AE473D83042D.BEK. In some places it is referred to as External Key protector for startup.

Recovery Key is stored in the same file and has the same shape as the Startup Key. In some places it is referred to as External Key protector for recovery. If we have a Recovery Key on a USB drive connected to the computer, the computer will automatically boot, even if we have PIN protection (another Protector will be used).

Authentication Methods

If we have an encrypted system disk using BitLocker, the operating system must obtain the encryption keys at the beginning of startup in order to decrypt the data. This depends on the BitLocker Key Protectors used. We talk about different authentication methods (BitLocker Authentication Methods). If more than one option is used, it is a multi-factor authentication (Multifactor Authentication) and usually ensures that the system does not start automatically, thus securing the data in case of computer theft. Authentication methods are:

• TPM - the simplest option, allows remote restart (does not require user interaction at startup), but also the least secure (the keys are stored in the TPM chip in the computer, so it starts automatically)
• TPM + PIN - the user must enter a PIN at startup to access the keys in the TPM, repeated incorrect PIN entry will lock it (for TPM 1.2 set by the manufacturer, for TPM 2.0 default 32, can be changed)
• TPM + Network Key - uses network unlock (Network Unlock), if the computer is on the corporate network, it retrieves the key from the WDS server and automatically unlocks the disk and boots, uses certificates and DHCP (requires a lot of configuration)
• TPM + Startup Key - a USB flash drive containing the Startup Key must be inserted at startup
• TPM + PIN + Startup Key - we must insert a USB flash drive and enter a PIN at startup
• Startup Key - if we don't have a TPM chip, we can use a USB flash drive containing the Startup Key
• Password - MS does not list this as an authentication method, but if we don't have a TPM chip, we have the choice between a USB flash drive (Startup Key) and a password that we enter at startup

Note: For the use of Startup Key to make sense, we must not leave the USB flash drive constantly plugged into the computer. Similarly, we should not keep the Recovery password and key near the computer, but in another location.

Allowed Authentication Methods

We have listed various authentication (key security - Protectors) options for BitLocker. By default, only a single (and relatively insecure) TPM only option is enabled. If we don't have a TPM chip, we can't turn on BitLocker at all, and we can't increase security with a PIN, for example. We can change the default options only using Group Policy (either within a domain or locally).

It's the Require additional authentication at startup item in the path Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives. Here we have various options that we can enable, or set one as mandatory.

BitLocker without a TPM Chip

If we try to turn on BitLocker and don't have a TPM chip in the computer (it may only be turned off in the BIOS or have a driver problem), an error will appear at the beginning of the wizard:

This device can't use a Trusted Platform Module. Your administrator must set the "Allow BitLocker without a compatible TPM"
 option in the "Require additional authentication at startup" policy for OS volumes.

As the message suggests, we set the policy described in the previous chapter. Group Policy item Require additional authentication at startup in the path Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives. We enable this setting (Enabled) and check Allow BitLocker without a compatible TPM.

Changing the Authentication Method - Protector

We can set the policy where we allow the required authentication methods before encrypting the disk. Then the BitLocker wizard will offer a selection of methods for unlocking the disk. In the wizard (generally in the GUI), the following options are offered:

• if we have TPM chip enabled
  • Enter a PIN - TPM + PIN authentication
  • Insert a USB flash drive - TPM + Startup Key authentication
  • Let BitLocker automatically unlock my drive - TPM authentication
• without TPM chip
  • Insert a USB flash drive - Startup Key authentication
  • Enter a password - Password authentication

Or we can change the method on an already encrypted disk. For this, we can use the BitLocker Drive Encryption tool, which (under certain conditions) may offer a new option Change how drive is unlocked at startup.

More options are provided by the command-line tool manage-bde or PowerShell cmdlets. Here we can set combinations of multiple methods (TPM + PIN + Startup Key) or several alternative options (each one can unlock the disk, with TPM there can be only one, to which we can add others without TPM). The basic usage is as follows (we can always add -? to the command to get help).

Displaying the used authentication method:

manage-bde -protectors -get C:

(Get-BitLockerVolume -MountPoint C:).KeyProtector

Setting TPM + PIN, then we will be prompted to enter the PIN:

manage-bde -protectors -add C: -tpmandpin

Add-BitLockerProtector -MountPoint C: -TPMandPinProtector

Further BitLocker configuration using policies

Using Group Policy, we can influence various parameters and behavior of BitLocker or the TPM chip. Official documentation BitLocker Group Policy settings. A few examples:

In the path Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives

• if we want to use Enhanced PIN instead of the standard (numeric) PIN, where letters are added to the numbers, we must enable the setting Allow enhanced PINs for startup
• we can change the minimum required PIN length (from the current minimum of 6 to a maximum of 20) in Configure minimum PIN length for startup

In the path Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption

• we can set the encryption method and cipher strength in Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

In the path Computer Configuration - Administrative Templates - System - Trusted Platform Module Services

• we can set the number of incorrect PIN attempts before the TPM is locked for a certain time in Standard User Lockout Duration, Standard User Individual Lockout Threshold and Standard User Total Lockout Threshold

Storing BitLocker keys for recovery in Active Directory

BitLocker Recovery Keys are an important part of BitLocker, so we can access the encrypted data on the disk in case of any problems. In a corporate environment, we certainly want some centralized solution for managing these keys, and we often need the ability, as administrators, to access the encrypted data of users. Microsoft offers a simple option to store (back up) these keys in Active Directory Domain Services (Store recovery keys in Active Directory). We can store the 48-digit Recovery password or also the Key Package, which allows us to retrieve data from a damaged disk (storing in AD DS is the only simple way to access the Key Package).

The configuration is again done using Group Policy. We can back up information for the recovery of BitLocker or TPM (various discussions indicate that TPM backup is unnecessary, although MS recommends backing up both, and there was a change in Windows 10 version 1607). By default, only Domain Admins can access the stored information in AD DS.

Note: For better management of the corporate environment, Microsoft has the tool Microsoft BitLocker Administration and Monitoring (MBAM), which is part of the Microsoft Desktop Optimization Pack (MDOP). It uses a server component (and SQL Server + Reporting Services) and clients, displays an overview of BIOS and TPM versions, performs BitLocker installations, contains a number of reports and a web portal for obtaining the BitLocker Recovery Key and TPM Owner Password.

Group Policy for configuring information storage in AD DS

To start with, a note, as I was quite surprised that there seems to be an error in the Microsoft documentation. Even the latest version I found for Windows 10 - Active Directory Domain Services considerations, mentions the policies Turn on BitLocker backup to Active Directory Domain Services and Turn on TPM backup to Active Directory Domain Services. But such policies do not exist in Windows 10 version 1607.

I found a mention that Microsoft in Windows 10 version 1607 removed the ability to back up TPM. In this version, the work and access to the TPM Owner Password (Change the TPM owner password) has changed, and therefore this value cannot be backed up to AD. The Microsoft BitLocker Administration and Monitoring (MBAM) tool offers certain options, but the TPM password is not needed to access the data encrypted with BitLocker, so this should not bother us significantly (it is used to unlock a locked TPM chip).

Information on BitLocker backup is better described in the older documentation Backing Up BitLocker and TPM Recovery Information to AD DS in the chapter Configure Group Policy to enable backup of BitLocker and TPM recovery information in AD DS. We find that since Windows 7, the setting Choose how BitLocker-protected operating system drives can be recovered in the path Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives has been used.

Here we set the option Save BitLocker recovery information to AD DS for operating system drives and decide whether we want to store only the Recovery Password or also the Key Package in AD. We can also activate the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives, then BitLocker cannot be activated until the computer is joined to the domain and the recovery information is correctly stored (for example, it is not found in the network when BitLocker is turned on).

If we use BitLocker Data Recovery Agents, which are accounts whose PKI certificate is used globally as a Key Protector, so they can unlock BitLocker disks on all computers, we will allow Allow data recovery agent. We must also set the policy Provide the unique identifiers for your organization and other settings. If we do not use Recovery Agents, we must uncheck this value!

Information stored in AD DS and its display

BitLocker information is stored in AD DS as an object that is under the computer object. It is an object msFVE-RecoveryInformation with the following attributes:

• ms-FVE-RecoveryPassword - 48-digit code used in Recovery mode
• ms-FVE-RecoveryGuid - GUID assigned to the Recovery Password for its identification
• ms-FVE-VolumeGuid - GUID of the encrypted disk
• ms-FVE-KeyPackage - contains the encryption key secured by the Recovery Password, can be used to recover part of the data in case of disk failure

The BitLocker Password Recovery Viewer tool, which is part of the Remote Server Administration Tools (RSAT), is used to view the information. It is an extension of Active Directory Users and Computers that adds a BitLocker Recovery tab to computer objects.

Or we can view the data directly in Active Directory Users and Computers (or ADSI Edit). In the View menu, we check Users, Contacts, Groups, and Computers as containers, then we can expand the computer object and see the objects under it.

Additional storage of information in AD DS

If we activate BitLocker on some computers before setting the policy for storing recovery keys in AD DS, these computers will not have anything stored. We have commands available to manually trigger the storage.

First, we need to get the ID for the Protector that we want to back up to AD. This is the Recovery Password (Numerical Password). If we try the ID of a different Protector, we will get an error.

C:\>manage-bde -protectors -get C:
BitLocker Drive Encryption: Configuration Tool version 10.0.10011
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []
All Key Protectors

  Numerical Password:
    ID: {BB30F4FB-9263-45D2-B227-799E22582B20}
    Password:
      079552-555544-716221-392788-505340-245069-453937-232727

  TPM And PIN:
    ID: {8D1F2731-31E7-40F1-9FEB-8D04079835AB}
    PCR Validation Profile:
      0, 2, 4, 11

PS C:\> (Get-BitLockerVolume -MountPoint c:).KeyProtector

KeyProtectorId      : {BB30F4FB-9263-45D2-B227-799E22582B20}
AutoUnlockProtector :
KeyProtectorType    : RecoveryPassword
KeyFileName         :
RecoveryPassword    : 079552-555544-716221-392788-505340-245069-453937-232727
KeyCertificateType  :
Thumbprint          :

KeyProtectorId      : {8D1F2731-31E7-40F1-9FEB-8D04079835AB}
AutoUnlockProtector :
KeyProtectorType    : TpmPin
KeyFileName         :
RecoveryPassword    :
KeyCertificateType  :
Thumbprint          :

Then we initiate the backup (backup to AD DS must be allowed by the policy).

C:\>manage-bde -protectors -adbackup C: -id {BB30F4FB-9263-45D2-B227-799E22582B20}
BitLocker Drive Encryption: Configuration Tool version 10.0.10011
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Recovery information was successfully backed up to Active Directory.

PS C:\> Backup-BitLockerKeyProtector -MountPoint C: -KeyProtectorId "{BB30F4FB-9263-45D2-B227-799E22582B20}"

   ComputerName: BITLOCKER-TEST

VolumeType      Mount  CapacityGB VolumeStatus   Encryption KeyProtector              AutoUnlock Protection
                Point                            Percentage                           Enabled    Status
----------      -----  ---------- ------------   ---------- ------------              ---------- ----------
OperatingSystem C:         237,92 FullyEncrypted 100        {RecoveryPassword, Tpm...            On

Issues with policies when encrypting different types of disks

In this article, we have focused on using BitLocker to encrypt system partition disks. Over time, I wanted to use encryption for removable disks as well, and in doing so, I encountered a strange error. I couldn't find an explanation anywhere on the internet, so I added this chapter based on my own experience.

Setting up using Group Policy

We have seen that many things related to BitLocker configuration can be controlled using group policies (not everything, for example, we cannot disable BitLocker for administrators). The settings are located in the path Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption, where we have three subfolders and the settings in them apply to a specific group of disks.

• Fixed Data Drives - additional fixed disks (more precisely, volumes/partitions) in the computer
• Operating System Drives - system disks (we have dealt with them here)
• Removable Data Drives - removable disks (external USB drives, flash drives, etc.), i.e., BitLocker To Go

For each group of disks, we have certain policies available, but the basics are the same. We described the policy Require additional authentication at startup, which is only for system disks and we set the allowed authentication methods (in the company, we will probably set one as mandatory and disable the others).

The second, in my opinion the most important policy, is called Choose how BitLocker-protected operating system drives can be recovered and exists for all types of disks (the disk name just changes in the policy name). We set whether and what recovery information the user can store and whether this data is stored in AD DS.

The settings I originally made are shown in the following image. I don't use Recovery agents, I didn't want users to store recovery information (system disk encryption is performed by administrators anyway and an external disk would have to be inserted), but I do want to store all the data in AD DS and if that's not possible, don't encrypt.

Issue with fixed and removable disks

With the settings above, disk encryption of the system disk works without any problems. The wizard asks almost nothing (other policies are also used) and the recovery information is stored in AD DS. But when trying to use BitLocker on another fixed disk or any removable media, an error is displayed:

BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery
 options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required
 when the generation of recovery password is not permitted.

With various attempts to set the policy Choose how BitLocker-protected operating system drives can be recovered for fixed and removable disks (when I entered the same values as for the system disk), I got a different error.

The result is that for the system disk (and possibly for all others, if the policy is set) we must set Allow for recovery information. If we want users not to see the option to save recovery information in the wizard, we use the Omit recovery options from the BitLocker setup wizard checkbox.

Note: Users have the Back up your recovery key option available for encrypted disks in the BitLocker Drive Encryption tool.

Recovery, or emergency situations

We will briefly mention some options for accessing data on an encrypted disk in case of problems. In addition, there are many situations where the computer starts BitLocker Recovery at startup, and we must enter the Recovery Key to start the operating system. The most common situations are related to the TPM chip, which protects the integrity of hardware and software components. Then, for example, if there is an upgrade to the BIOS/UEFI/TPM firmware (it is recommended to suspend BitLocker beforehand), a change in the partition table, enabling USB booting, adding a hardware component, or repeated entry of an incorrect PIN, the system will not start and we must authorize this operation using the Recovery Key. Of course, this is a protection against various attacks. The complete list of events is in the BitLocker recovery guide.

Again, the role of what I mentioned when enabling BitLocker is important here. Microsoft in the Recovery process apparently only uses the term Recovery Key and does not distinguish between Recovery Password and Recovery Key. Depending on which Protectors (of these two) we have set on the disk, we can use them. The wizard then wants us to insert a USB drive when it is looking for the Recovery Key. Or enter a numeric code when it uses the Recovery Password.

Suspending BitLocker - Suspend Protection

If we make targeted changes (such as firmware upgrades), we should perform BitLocker suspension. Then everything will proceed, the disk behaves as unencrypted, and BitLocker will automatically turn on after the restart. Some tools will suspend it automatically. When suspending, the disk is not decrypted, but the Clear Key is used to encrypt the Volume Master Key, which is then stored unencrypted on the disk. Upon restoration, the VMK is changed, the protectors are updated, and the Clear Key is deleted.

For BitLocker suspension, we can use the GUI BitLocker Drive Encryption - Suspend protection. Or the commands:

manage-bde –pause C:

Suspend-BitLocker -MountPoint "C:" -RebootCount 1

Forgotten PIN and BitLocker Recovery

If we have set up system disk unlocking using a PIN, a dialog for entering this PIN appears before the OS starts.

If we forget the PIN, we can press the ESC key and perform BitLocker recovery. If we have set up a Recovery Key, we will be told to insert the corresponding USB flash drive and restart. The system will boot without asking for the PIN.

If we have a Recovery Password set, we can press ESC for more options and a field to enter the numeric code will be displayed. After entering it correctly, the system will start.

When we get to the operating system, we can use the BitLocker Drive Encryption tool, choose Change PIN, and set a new PIN.

Connecting the disk to another computer

We can connect an encrypted system disk to another computer (with an OS that supports BitLocker). The disk will appear locked by BitLocker, and we can unlock it.

We simply enter the 48-character Recovery Password, which we may have copied from AD DS. Or if we have a text file with the BitLocker Recovery Key on a flash drive, we can attach it and click Load key from USB drive.

Then we can work with the disk as usual.