Scenario 8: Specifying How BitLocker-Protected Drives Can Be Recovered (Windows 7)
Applies To: Windows 7
If an unlock method fails, such as if the TPM detects a change in boot components or a password is forgotten, users will need to use a recovery method to access their data. Before going through the recovery process, you should verify that the drive was not tampered with and isolate the computer from the network until any risk presented by the system is determined. This scenario includes procedures for setting the recovery options available for operating system drives, fixed data drives, and removable data drives. The procedures in this scenario describe how to configure the appropriate Group Policy settings to support the recovery options available to users in your enterprise. You can require that users save recovery keys or recovery files, enable the use of a data recovery agent, or require that all recovery information be backed up to Active Directory Domain Services (AD DS) and prevent users from creating and saving recovery passwords and keys.
Note
If access to an operating system drive is recovered by using the recovery console after a change in the computer configuration, suspend and then resume BitLocker protection before shutting down or putting the computer in hibernation. Otherwise, the conditions that caused BitLocker to start the operating system drive in recovery mode will be detected again and the recovery information will be required to start the operating system.
Before you start
To complete the procedures in this scenario:
You must be able to provide administrative credentials.
Your test computer must be part of a domain.
Complete the following procedures to specify the recovery methods for each type of drive.
To specify how BitLocker-protected operating system drives can be recovered
Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Operating System Drives.
To configure recovery options for operating system drives, in the details pane, double-click Choose how BitLocker-protected operating system drives can be recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn on BitLocker, and recovery information is not backed up to AD DS.
To specify different recovery options, click Enabled, and then configure the following settings as appropriate:
Select the Allow data recovery agent check box to allow specified accounts to be used to recover BitLocker-protected drives. To use a data recovery agent, the account must be configured and added to the following location in Group Policy: Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption. For more information about setting up data recovery agents, see Using Data Recovery Agents with BitLocker. Clear the check box if you do not want to allow data recovery agents to be used with BitLocker.
Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or not allowed to create a 48-digit recovery password or 256-bit recovery key when they turn on BitLocker. If one user storage option is required, the other must be disallowed. If you want to provide users the option of using either a recovery password or a recovery key, you should select both Allow 48-digit recovery password and Allow 256-bit recovery key. If you do not want users to be able to store or print recovery information, select both Do not allow 48-digit recovery password and Do not allow 256-bit recovery key
Select the Save BitLocker recovery information to AD DS for operating system drives check box, and then select whether you want to Store recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allows system administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recovery password or recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery key file cannot be accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bde command-line tool to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from the drive is not possible.
Select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives check box to ensure that the recovery information for all BitLocker-protected operating system drives in your organization is stored in AD DS. Recovery information is generated when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this check box is selected, users must be connected to the domain when they turn on BitLocker.
Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlled by this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of the administrative recovery settings Save BitLocker recovery information to AD DS for operating system drives or Allow data recovery agent to ensure that the BitLocker-protected drive can be recovered.
After you have made your choices, click Apply to apply the settings, and then close the dialog box.
To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.
To specify how BitLocker-protected fixed data drives can be recovered
Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Fixed Data Drives.
To configure recovery options for fixed data drives, in the details pane, double-click Choose how BitLocker-protected fixed drives can be recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn on BitLocker, and recovery information is not backed up to AD DS.
To specify different recovery options, click Enabled, and then configure the following settings as appropriate:
Select the Allow data recovery agent check box to allow specified accounts to be used to recover BitLocker-protected drives. To use a data recovery agent, the account must be configured and added to the following location in Group Policy: Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption. For more information about setting up data recovery agents, see Using Data Recovery Agents with BitLocker. Clear the Allow data recovery agent check box if you do not want to allow data recovery agents to be used with BitLocker.
Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or not allowed to create a 48-digit recovery password or 256-bit recovery key when they turn on BitLocker.
Select the Save BitLocker recovery information to AD DS for fixed data drives check box, and then select whether you want to Store recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allows system administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recovery password or recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery key file cannot be accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bde command-line tool to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from the drive is not possible.
Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives check box to ensure that the recovery information for all BitLocker-protected fixed data drives in your organization is stored in AD DS. Recovery information is generated when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this check box is selected, users must be connected to the domain when they turn on BitLocker.
Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlled by this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of the administrative recovery settings Save BitLocker recovery information to AD DS for fixed data drives or Allow data recovery agent to ensure that the BitLocker-protected drive can be recovered.
After you have made your choices, click Apply to apply the settings, and then close the dialog box.
To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.
To specify how BitLocker-protected removable data drives can be recovered
Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable Data Drives.
To configure recovery options for removable data drives, in the details pane, double-click Choose how BitLocker-protected removable data drives can be recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn on BitLocker, and recovery information is not backed up to AD DS.
To specify different recovery options, click Enabled, and then configure the following settings as appropriate:
Select the Allow data recovery agent check box to allow specified accounts to be used to recover BitLocker-protected drives. To use a data recovery agent, the account must be configured and added to the following location in Group Policy: Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption. For more information about setting up data recovery agents, see Using Data Recovery Agents with BitLocker. Clear the check box if you do not want to allow data recovery agents to be used with BitLocker.
Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or not allowed to create a 48-digit recovery password or 256-bit recovery key when they turn-on BitLocker. By default, recovery keys are not used with removable data drives.
Select the Save BitLocker recovery information to AD DS for removable data drives check box, and then select whether you want to Store recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allows system administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recovery password or recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery key file cannot be accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bde command-line tool to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from the drive is not possible.
Select the Do not enable BitLocker until recovery information is stored to AD DS for removable data drives check box to ensure that the recovery information for all BitLocker-protected removable data drives in your organization is stored in AD DS. Recovery information is generated when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this check box is selected, users must be connected to the domain when they turn on BitLocker.
Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlled by this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of the administrative recovery settings Save BitLocker recovery information to AD DS for removable data drives or Allow data recovery agent to ensure that the BitLocker-protected drive can be recovered.
After you have made your choices, click Apply to apply the settings, and then close the dialog box.
Close the Local Group Policy Editor.
To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.
By completing the procedures in this scenario, you have configured the Group Policy settings establishing the recovery options available for operating system drives, fixed data drives, and removable data drives.