Event ID 514 — BitLocker Recovery Password Backup

Applies To: Windows Server 2008 R2

Recovery information for Windows BitLocker Drive Encryption (BitLocker) can be automatically backed up to Active Directory Domain Services (AD DS). Recovery information for BitLocker includes the recovery password for each BitLocker-enabled volume, and the information required to identify which computers and volumes the recovery information applies to.

You can also configure systems to back up a binary package containing the actual keying information in an encrypted form. Recovery information is not backed up by default, but administrators can configure backup by using Group Policy settings. For more information, see "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" (https://go.microsoft.com/fwlink/?LinkID=67438).

Event Details

Product: Windows Operating System
ID: 514
Source: Microsoft-Windows-BitLocker-API
Version: 6.1
Symbolic Name: FVEAPIEVENT_AD_PASSWORD_BACKUP_FAILED
Message: Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.
Errorcode: %2
Protector GUID: %1
Volume GUID: %3

Diagnose

This error might be caused by one of the following conditions:

BitLocker has been configured by local policy or Group Policy to back up recovery information to AD DS, and:

  • The computer was not connected to your organization's network.
  • The computer cannot reach a writable domain controller due to connectivity issues.
  • The computer is not a member of an AD DS domain.
  • The AD DS domain has not been properly configured to store recovery information.

The computer was not connected to your organization's network

To back up recovery passwords to AD DS, your computer must be connected to your organization's network (that is, the domain network) when you are enabling BitLocker. If you have enabled BitLocker while disconnected from the network, or while accessing a network outside of your domain, such as a home network, a hotel network, or "hotspot," BitLocker will not be able to back up your recovery password.

If the computer was not connected to your organization's network, see the section titled "Connect to your organization's network and recreate the recovery password."

The computer cannot reach a writable domain controller due to connectivity issues

To perform this procedure, you must have membership in Users, or you must have been delegated the appropriate authority.

To determine whether the computer can reach a domain controller:

  1. Open a Command Prompt window.
  2. Type ipconfig /all at the command prompt. Make sure that the computer has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
  3. Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
  4. Type ping ip_address, where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
  5. Type ping dns_server, where dns_server is the IP address for the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers. DNS servers are used to locate domain controllers.
  6. If your domain controllers are separate from your DNS servers, type ping domain_controller where domain_controller is the IP address for the domain controller. If there is more than one domain controller on your network, you should ping each one. If you cannot ping the domain controllers, this indicates a potential problem with the domain controller, or with the network between the computer and the domain controller.
  7. Type nslookup domain_controller, where domain_controller is the name of the domain controller, and then press ENTER. If the nslookup does not return an associated IP address for the domain controller, this may indicate that there is an issue with the DNS cache. To flush the DNS cache, type ipconfig /flushdns at a command prompt.
  8. You may also use a tool such as PortQry or NetDiag to test connectivity between the computer and the domain. Alternatively, try accessing other resources hosted on a known domain controller, such as the Netlogon share. For more information about using PortQry, see https://go.microsoft.com/fwlink/?LinkId=99545. For more information about NetDiag, see https://go.microsoft.com/fwlink/?LinkId=99547.

If the computer cannot reach a writable domain controller due to connectivity issues, see the section titled "Establish connectivity and recreate the recovery password"

The computer is not a member of an AD DS domain

In order for BitLocker to be able to back up recovery passwords to AD DS, the computer must be a member of an AD DS domain (or a Windows Server 2003 SP1 Active Directory Domain).

To perform this procedure, you must have membership in Users, or you must have been delegated the appropriate authority.

To determine whether the computer is a member of a domain:

  1. Click Start, right-click Computer, and then click Properties.
  2. In the Computer name, domain, and workgroup settings section, the last entry contains the name of the computer's workgroup or domain.
  3. If the entry indicates that the computer is a member of a Workgroup, then it is not a member of a domain.

If the computer is not a member of an AD DS domain, see the section titled "Join the computer to a domain and recreate the recovery password."

The AD DS domain has not been properly configured to store recovery information

Backing up the recovery information in AD DS requires specific configuration steps. Microsoft has published extensive guidance and tools to facilitate the configuration.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To determine the configuration of AD DS:

  1. Review the information provided in "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" (https://go.microsoft.com/fwlink/?LinkId=67438).
  2. After reviewing all of the information, use a tool such as ADSIedit.msc or LDP.exe to verify that the required attributes and objects were created.
  3. Run the list-ace.vbs script as described in Appendix F and compare the reported output with the configuration described in the document.

If the AD DS domain has not been properly configured to store recovery information, see the section titled "Reconfigure AD DS and recreate the recovery password."

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

The computer was not connected to your organization's network

Connect to your organization's network and recreate the recovery password

The computer cannot reach a writable domain controller due to connectivity issues

Establish connectivity and recreate the recovery password

The computer is not a member of an AD DS domain

Join the computer to a domain and recreate the recovery password

The AD DS domain has not been properly configured to store recovery information

Reconfigure AD DS and recreate the recovery password

Connect to your organization's network and recreate the recovery password

Connect the computer to a domain network

First, connect to your organization's network by using one of the following methods:

  • Establish a wired connection at a physical site operated by your organization.
  • Connect by using a wireless network provided by your organization that connects to your internal network.
  • If available, connect remotely to your organization's network by using a virtual private network (VPN).

Then, in order to force BitLocker to back up the recovery passwords to AD DS, recreate the recovery password by using the following procedure.

Recreate the recovery password

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To create and back up a new BitLocker recovery password:

  1. Click Start.
  2. Type cmd in the Start Search box.
  3. Right-click cmd.exe in the Programs section of the search results.
  4. Click Run as administrator.
  5. If the User Account Control prompt appears, verify that the displayed action is what you requested, and then click Continue.
  6. At the elevated command prompt, type cscript manage-bde.wsf -protectors -delete c: -type recoverypassword where c: is the volume encrypted with BitLocker. This step removes any existing recovery password.
  7. At the elevated command prompt, type cscript manage-bde.wsf -protectors -add c: -recoverypassword where c: is the volume encrypted with BitLocker. This step creates a new recovery password, and if configured, causes the new recovery password to be backed up to Active Directory Domain Services.
  8. Close the Command Prompt window.

Establish connectivity and recreate the recovery password

The following procedures describe the steps to troubleshoot a network connection and then recreate BitLocker recovery passwords for backup to AD DS after connectivity has been restored.

To perform this procedure, you must have membership in Users, or you must have been delegated the appropriate authority.

Restore connectivity between the computer and the domain controllers

To restore connectivity between the computer and the domain controllers:

  1. Determine at what point connectivity is failing by using network troubleshooting steps such as the following:
    • Open a Command Prompt window.
    • Type ipconfig /all at the command prompt. Make sure that the computer has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
    • Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
    • Type ping ip_address, where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
    • Type ping dns_server, where dns_server is the IP address for the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers. DNS servers are used to locate domain controllers.
    • If your domain controllers are separate from your DNS servers, type ping domain_controller where domain_controller is the IP address for the domain controller. If there is more than one domain controller on your network, you should ping each one. If you cannot ping the domain controllers, this indicates a potential problem with the domain controller, or with the network between the computer and the domain controller.
    • Type nslookup domain_controller, where domain_controller is the name of the domain controller, and then press ENTER. If the nslookup does not return an associated IP address for the domain controller, this may indicate that there is an issue with the DNS cache. To flush the DNS cache, type ipconfig /flushdns at the command prompt.
  2. Resolve any networking issues. If you are unable to discover or resolve the networking issue, contact your help desk or support organization for assistance.

Recreate and back up a new BitLocker recovery password

After connectivity has been restored, in order to force BitLocker to back up the recovery passwords to AD DS, recreate the recovery password by using the following procedure.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To create and back up a new BitLocker recovery password:

  1. Click Start.
  2. Type cmd in the Start Search box.
  3. Right-click cmd.exe in the Programs section of the search results.
  4. Click Run as administrator.
  5. If the User Account Control prompt appears, verify the displayed action is what you requested, and click Continue.
  6. At the elevated command prompt, type cscript manage-bde.wsf -protectors -delete c: -type recoverypassword where c: is the volume encrypted with BitLocker. This step removes any existing recovery password.
  7. At the elevated command prompt, type cscript manage-bde.wsf -protectors -add c: -recoverypassword where c: is the volume encrypted with BitLocker. This step creates a new recovery password, and if configured, causes the new recovery password to be backed up to Active Directory Domain Services.
  8. Close the Command Prompt window.

Join the computer to a domain and recreate the recovery password

Join the computer to a domain, and then recreate the BitLocker recovery passwords for backup.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Join the computer to a domain

To join the computer to a domain:

  1. Click Start, right-click Computer, and then click Properties.
  2. Under the heading Computer name, domain and workgroup settings, click Change settings.
  3. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  4. Click Change.
  5. Select the Domain option.
  6. Type the name of the domain you want to join in the text box.
  7. Click OK.
  8. In the Windows Security dialog box, type the name and password of a domain account that has permissions to join a computer to the domain, and click OK.
  9. In the Computer Name/Domain Changes dialog box, click OK.
  10. In the next Computer Name/Domain Changes dialog box, click OK.
  11. In the System Properties dialog box, click Close.
  12. In the Microsoft Windows dialog box, click Restart Now.

Back up the BitLocker recovery password to AD DS

To create and back up a new BitLocker recovery password:

  1. Click Start.
  2. Type cmd in the Start Search box.
  3. Right-click cmd.exe in the Programs section of the search results.
  4. Click Run as administrator.
  5. If the User Account Control prompt appears, verify the displayed action is what you requested, and then click Continue.
  6. At the elevated command prompt, type cscript manage-bde.wsf -protectors -delete c: -type recoverypassword where c: is the volume encrypted with BitLocker. This step removes any existing recovery password.
  7. At the elevated command prompt, type cscript manage-bde.wsf -protectors -add c: -recoverypassword where c: is the volume encrypted with BitLocker. This step creates a new recovery password, and if configured, causes the new recovery password to be backed up to Active Directory Domain Services.
  8. Close the Command Prompt window.

Reconfigure AD DS and recreate the recovery password

Configuring your domain for backup of BitLocker recovery information involves verifying or extending your AD DS schema, correctly configuring permissions on directory objects, and configuring clients with Group Policy or local policies to back up the recovery information.

The first of the following procedures describes the resources to help you configure a domain to back up BitLocker recovery passwords, and the second procedure provides the steps to recreate BitLocker recovery passwords for backup to AD DS after the domain has been configured.

Configure AD DS to back up BitLocker recovery information

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To configure AD DS to back up BitLocker recovery information:

  1. Review the information provided in "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery. Information" (https://go.microsoft.com/fwlink/?LinkId=67438).
  2. Use the scripts provided to configure your domain correctly.

Note: We recommend that you first test the new configuration in a test environment.

Recreate and back up the BitLocker recovery password to AD DS

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To create and back up a new BitLocker recovery password:

  1. Click Start.
  2. Type cmd in the Start Search box.
  3. Right-click cmd.exe in the Programs section of the search results.
  4. Click Run as administrator.
  5. If the User Account Control prompt appears, verify the displayed action is what you requested, and click Continue.
  6. At the elevated command prompt, type cscript manage-bde.wsf -protectors -delete c: -type recoverypassword where c: is the volume encrypted with BitLocker. This step removes any existing recovery password.
  7. At the elevated command prompt, type cscript manage-bde.wsf -protectors -add c: -recoverypassword where c: is the volume encrypted with BitLocker. This step creates a new recovery password, and if configured, causes the new recovery password to be backed up to Active Directory Domain Services.
  8. Close the Command Prompt window.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that new recovery passwords are being backed up to AD DS:

  1. Click Start, and then click All Programs.
  2. Click Administrative Tools, and then click Event Viewer.
  3. Expand Windows Logs.
  4. Click System.
  5. Review the System log for Event 513 in the Microsoft-Windows-BitLockerAPI event source, which indicates that the recovery password has been backed up.

Note: BitLocker attempts to back up recovery information only when BitLocker is turned on for a particular volume, or a new recovery password is created manually.

BitLocker Recovery Password Backup

Core Security