Share via


BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS

Applies To: Windows Server 2008, Windows Vista

This document shows how organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-encrypted data. We recommend that you create a thorough recovery model for BitLocker while you are planning your BitLocker deployment.

What Is in This Document?

This article contains detailed information that you can use while planning your BitLocker recovery process for Windows® 7, and Windows Server® 2008 R2.

To understand and apply this article properly, you should understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.

This document contains the following topics:

  • What Is BitLocker Recovery?

  • Testing Recovery

  • Planning Your Recovery Process

  • Using Additional Recovery Information

  • Appendix A: Delegating Permission

  • Appendix B: Resetting Recovery Passwords

  • Appendix C: Retrieving the BitLocker Key Package

  • Appendix D: Saving the TPM Information

What Is Not in This Document?

This article does not detail how to configure AD DS to store the BitLocker recovery information, but it does highlight how your organization can plan your recovery process. You can also recover BitLocker-enabled volumes by using Windows Recovery Environment (Windows RE) and by entering the recovery password during startup.

For more information about how to store recovery information in AD DS, see Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information (https://go.microsoft.com/fwlink/?LinkId=82827).

What Is BitLocker Recovery?

BitLocker recovery is the process by which you can restore access to a BitLocker protected drive in the event that you cannot unlock the drive normally. In arecovery scenario you have the following options to restore access to the drive:, the stored recovery password in AD DS can be used to unlock and access the drive. This stored password can recover BitLocker, regardless of what authentication method is used. If your organization has implemented data recovery agents, their credentials can also be used to recover access to a BitLocker-protected drive.

  • The user can supply the recovery password or recovery key. If your organization allows usrs to print or store recovery information when they turn on BitLocker, the user can insert the USB drive that contains the recovery key or can type in the 48-digit recovery password that they printed.

  • A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer running Windows 7 for the data recovery agent to unlock it.

  • A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed.

What causes BitLocker recovery?

Some of the causes of BitLocker recovery include:

  • An attacker has modified your computer. This is applicable for a computer with a Trusted Platform Module (TPM) because the TPM checks the integrity of boot components during startup.

  • Moving the BitLocker-protected drive into a new computer.

  • Upgrading to a new motherboard with a new TPM.

  • Turning off, disabling, or clearing the TPM.

  • Upgrading critical early boot components that cause the TPM to fail validation.

  • Forgetting the PIN when PIN authentication is enabled.

  • Losing the pluggable USB flash drive that contains the startup key, when startup key authentication is enabled.

Note

Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. If an attacker modified your computer and you do not address that problem before initiating recovery, you might find that you must continually perform recovery on your BitLocker-enabled volume due to attacks.

For planned scenarios, such as a known hardware upgrade, you can avoid initiating recovery by temporarily disabling BitLocker protection. Because disabling BitLocker leaves the drive fully encrypted, the administrator can quickly re-enable BitLocker protection after the planned task has been completed. To disable BitLocker temporarily, use the control panel, the command-line tool, or a deployed script that invokes the corresponding Windows Management Instrumentation (WMI) interface method.

Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.

Testing Recovery

Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password).

Use the following table to determine how best to test recovery in your organization. The authentication method column shows BitLocker authentication methods. Choose the authentication method that aligns to the authentication method that you have implemented in your test environment.

Authentication method How to initiate recovery

TPM + PIN

  • Withhold PIN during startup.

  • Remove key protector associated with the PIN.

TPM + startup key

  • Withhold startup key during startup.

  • Remove key protector associated with the startup key.

Startup key

  • Withhold startup key during startup.

  • Remove key protector associated with the startup key.

All TPM-based authentication methods

  • Remove the key protector associated with the TPM.

  • Turn off the TPM.

Withhold PIN during startup

You can initiate recovery by not entering the PIN when the computer starts up or by entering an incorrect PIN. When you do not enter the PIN, the pre-Windows recovery console displays a screen for entering a recovery password.

Withhold startup key during startup

You can initiate recovery by not inserting the USB flash drive, which contains the startup key, when the computer starts up. When you do not provide the startup key, the pre-Windows recovery console displays a screen for entering a recovery password.

Remove key protector associated with the TPM

Without TPM-based key protectors, a user can unlock the drive only by using a recovery password or a recovery key.

To force a recovery for the local computer

  1. Click the Start button, type cmd in the Start Search box, right-click cmd.exe, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type the following command and then press ENTER:

    cscript manage-bde.wsf -forcerecovery <Volume>

Note

<Volume> represents the volume that is protected with BitLocker.

To force recovery for a remote computer

  1. Click the Start button, type cmd in the Start Search box, right-click cmd.exe, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type the following command and then press ENTER:

    cscript manage-bde.wsf -ComputerName <ComputerName>-forcerecovery <Volume>

Note

<ComputerName> represents the name of the remote computer. <Volume> represents the volume on the remote computer that is protected with BitLocker.

Turn off the TPM

You can use the TPM Management Microsoft Management Console (MMC) snap-in to turn off the TPM.

To turn off the TPM using the TPM Management snap-in

  1. Click the Start button, type tpm.msc in the Start Search box, and then click tpm.msc.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the console tree, select the TPM.

  4. In the Actions pane, click Turn off the TPM, and then type the TPM owner password in the wizard.

You can also write a script using the TPM WMI interface to retrieve the stored TPM owner password hash automatically, and then use that hash to turn off the TPM locally or remotely.

Planning Your Recovery Process

When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smartcard PIN resets? Use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.

After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.

When you determine your recovery process, you should:

  • Become familiar with how you can retrieve the recovery password. See:

    • Self-recovery

    • Recovery password retrieval

  • Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:

    • Post-recovery analysis

Self-recovery

In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. For instance, you might want users to contact Helpdesk before or after performing self-recovery so that the root cause can be identified.

Recovery password retrieval

If the user does not have a recovery password as a printout or on a USB flash drive, the user will need to contact Helpdesk.

Note

When you plan your recovery password retrieval process, you must consider that the entire support process might occur over the phone.

The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. Because the Active Directory Users and Computers snap-in is not yet available for Windows Vista, the viewer tool must be installed on a Windows Server 2003 or Windows XP computer. For information about how to obtain the tool, and to learn about its usage, see the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=93476).

You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.

  • Record the name of the user's computer

  • Verify the user's identity

  • Locate the recovery password in AD DS

  • Gather information to determine why recovery occurred

  • Give the user the recovery password

Record the name of the user's computer

You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the Drive Label in the BitLocker Drive Encryption Password Entry user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.

Verify the user's identity

You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. Another option is to verify that the computer with the name the user provided belongs to the user.

Locate the recovery password in AD DS

Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.

Multiple recovery passwords

If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.

If at any time you are unsure what password to provide, or if you fear that you might be providing the incorrect password, ask the user to read the password ID that is displayed in the recovery console. You might not need the user to read the entire ID to narrow down to one of the passwords for a computer. The first eight characters or last six characters should be sufficient.

Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.

Gather information to determine why recovery occurred

Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see Post-recovery analysis.

Give the user the recovery password

Because the recovery password is 48 digits long, we recommend that you tell the user to record the password by writing it down or typing it on a different computer. Once recovery is initiated, the user will continue to encounter the BitLocker recovery console every time the computer starts up. (Exceptions are if the user finds or remembers a startup key or PIN shortly after calling Helpdesk.) To avoid repeat calls to Helpdesk before post-recovery analysis can be performed, Helpdesk can alert the user to write down the recovery password and keep it in a safe place (for example, in a wallet). During post-recovery analysis, an administrator can refresh the drive's BitLocker protection to avoid recovery on every startup. For more information about post-recovery analysis, see Post-recovery analysis.

Note

Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.

Post-recovery analysis

BitLocker treats accessing a volume by using a recovery password in the same way as accessing the volume by using a non-recovery method (such as the TPM). Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. Once the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.

If the user shuts down the computer or allows it to go into hibernation, BitLocker relocks the encrypted volume and forces the computer into recovery again. As a result, the user should have a recovery password on hand until an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker protection so that the user no longer needs to enter a recovery password each time that the computer starts up. See:

  1. Determine the root cause of the recovery

  2. Resolve the root cause

Determine the root cause of the recovery

If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.

While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.

Review and answer the following questions for your organization:

  1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)?

  2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?

  3. If TPM mode was in effect, was recovery caused by a boot file change?

  4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?

  5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?

  6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?

To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, manage-bde -status). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.

Resolve the root cause

Once you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.

The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.

Note

You can always perform a BitLocker reset by decrypting the volume and then re-enabling BitLocker. You can also choose to reinstall the operating system and then re-enable BitLocker.

  • Unknown PIN

  • Lost startup key

  • Change to boot files and reason is known

  • Change to boot files and reason is unknown

  • Invalid TPM settings and reason is known

  • Invalid TPM settings and reason is unknown

  • Invalid system state

Unknown PIN

If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.

To prevent continued recovery due to an unknown PIN

  1. Log on as an administrator.

  2. Reset the PIN:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Manage BitLocker Keys, and then click Reset the PIN.

  3. Customize and run the script in Appendix B: Resetting Recovery Passwords to reset the recovery password.

  4. Duplicate the recovery password:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Manage BitLocker Keys, and then click Duplicate the recovery password.

Lost startup key

If you have lost the USB flash drive that contains the startup key, then you must turn off BitLocker and then turn it back on in order to prevent BitLocker from entering recovery each time the computer is restarted.

To prevent continued recovery due to a lost startup key

  1. Log on as an administrator to the computer that has the lost startup key.

  2. Turn off BitLocker and decrypt all drives:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Turn Off BitLocker.

    5. In the BitLocker Drive Encryption dialog box, click Decrypt all drives.

  3. Turn on BitLocker and re-encrypt all drives:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Turn On BitLocker.

    5. In the BitLocker Drive Encryption dialog box, create a new startup key and recovery password.

Alternatively, an administrator can use the BitLocker command-line tool manage-bde to remove the old startup key and add a new one.

Change to boot files and reason is known

This error might occur if you knowingly updated the system BIOS. You must perform several steps to ensure that BitLocker does not continue to enter recovery each time that the computer is started.

To prevent continued recovery due to an updated system BIOS

  1. Log on as an administrator to the computer that has the forgotten PIN.

  2. Turn off BitLocker without decrypting the drives:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Turn Off BitLocker.

    5. In the BitLocker Drive Encryption dialog box, click Disable BitLocker.

  3. Turn on BitLocker:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Turn On BitLocker.

    5. In the BitLocker Drive Encryption dialog box, create a new startup key and recovery password.

  4. Customize and run the script in Appendix B: Resetting Recovery Passwords to reset the recovery password.

  5. Duplicate the recovery password:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Manage BitLocker Keys.

    5. In the BitLocker Drive Encryption dialog box, click Duplicate the recovery password.

Change to boot files and reason is unknown

This error might occur if malicious software has modified the system boot files. You must perform several steps to ensure that BitLocker does not continue to enter recovery each time that the computer is started.

To prevent continued recovery due to a change to the boot files with an unknown reason

  1. Log on to the computer as an administrator.

  2. Back up all important data on the computer to a location outside of the computer, such as a shared folder.

  3. Reinstall Windows Vista.

  4. Turn on BitLocker:

    1. Log on to the computer as an administrator.

    2. Click Start, and then click Control Panel.

    3. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    5. In the BitLocker Control Panel item, click Turn On BitLocker.

    6. In the BitLocker Drive Encryption dialog box, create a new startup key and recovery password.

  5. Investigate whether the issue has been resolved. If pre-operating system malicious software has been installed on the computer, you might have to issue the user a new computer.

Invalid TPM settings and reason is known

This type of error might occur if you disabled the TPM. You must perform several steps to ensure that BitLocker does not continue to enter recovery each time that the computer is started.

To prevent recovery due to invalid TPM settings due to a known reason

  1. Undo the setting change to the TPM.

    1. Click the Start button, type tpm in the Start Search box, and then click tpm.msc.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    3. In the Actions pane, click the option that will reverse the TPM setting that caused the error.

      For example, if you had disabled the TPM, you should click Turn TPM On to re-enable the TPM.

  2. Customize and run the script in Appendix B: Resetting Recovery Passwords to reset the recovery password.

  3. Duplicate the recovery password:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Manage BitLocker Keys.

    5. In the BitLocker Drive Encryption dialog box, click Duplicate the recovery password.

Invalid TPM settings and reason is unknown

This type of error might occur if malicious software disabled the TPM. You must perform several steps to ensure that BitLocker does not continue to enter recovery each time that the computer is started.

To prevent recovery due to invalid TPM settings due to an unknown reason

  1. Turn off BitLocker without decrypting the drives:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Turn Off BitLocker.

    5. In the BitLocker Drive Encryption dialog box, click Disable BitLocker.

  2. Clear the TPM:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the left pane, under See also, click TPM Administration.

    5. In the Actions pane, click Clear TPM.

  3. Initialize the TPM:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the left pane, under See also, click TPM Administration. The TPM Management console is displayed.

    5. In the Actions pane, click Initialize TPM. The TPM Initialization Wizard is started.

Note

If the TPM has never been turned on or is currently turned off, the TPM Initialization Wizard displays the Turn on the TPM Security Hardware page. Read the instructions on this page, and then go to step 6 of this procedure. If the TPM is already turned on, the TPM Initialization Wizard displays the Create the TPM owner password page. Continue to the next step to set ownership of the TPM. If the TPM Initialization Wizard detects a BIOS that does not meet Windows Vista requirements, you cannot continue with the wizard, and you will be alerted to consult the computer manufacturer's documentation for instructions for initializing the TPM.

6.  Restart the computer and follow the BIOS screen prompts.  
      
7.  After the computer restarts, but before you log on to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user is physically present, and that it is not malicious software attempting to initialize the TPM.  
      

Note

BIOS screen prompts and wording vary by computer manufacturer.

8.  After logging on to Windows, right-click the **Windows Defender** icon in the notification area, point to **Run blocked program**, and then click **TPM Initialization Wizard.**  
      
9.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Continue**.  
      
  1. Set ownership of the TPM:

Note

The TPM must also be owned before it can be used to help secure your computer. By setting ownership of the TPM, you are assigning a password that helps ensure only the authorized TPM owner can access and manage the TPM. The TPM password is also used to turn off the TPM if you no longer want to use it, or to clear the TPM if the computer is to be recycled. The following procedure steps you through the process of setting ownership of the TPM using the TPM Initialization Wizard.

1.  On the **Create the TPM owner** password page, click **Automatically create the password (recommended)**.  
      
2.  In the **Save your TPM owner password** dialog box, click **Save the password**.  
      
3.  In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *\<ComputerName\>*.tpm.  
      

Important

We highly recommend saving the TPM owner password to removable media.

4.  Click **Print the password** if you want to print a hard copy of your password.  
      

Important

We highly recommend printing a hard copy of your TPM owner password and storing it in a safe location.

5.  Click **Initialize**. The process of initializing the TPM might take a few minutes to complete.  
      
6.  Click **Close**.  
      

Warning

Do not lose your password. If you do, you will be unable to make changes to your TPM that require the owner password unless you clear the TPM.

  1. Turn on BitLocker:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Turn On BitLocker.

  2. Customize and run the script in Appendix B: Resetting Recovery Passwords to reset the recovery password.

  3. Duplicate recovery password:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Manage BitLocker Keys.

    5. In the BitLocker Drive Encryption dialog box, click Duplicate the recovery password.

Invalid system state

You must perform several steps to ensure that BitLocker does not continue to enter recovery each time that the computer is started.

To prevent recovery due to an invalid system state

  1. Review the error message in the recovery console, and follow the steps detailed there, if possible.

  2. Customize and run the script in Appendix B: Resetting Recovery Passwords to reset the recovery password.

  3. Duplicate the recovery password:

    1. Click the Start button, and then click Control Panel.

    2. In Control Panel, click Security, and then click BitLocker Drive Encryption.

    3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

    4. In the BitLocker Control Panel item, click Manage BitLocker Keys.

    5. In the BitLocker Drive Encryption dialog box, click Duplicate the recovery password.

Using Additional Recovery Information

Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.

BitLocker key package

If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.

You must use the BitLocker Repair tool to use the BitLocker key package. For more information about how to obtain and use the BitLocker Repair Tool, see article 928201 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=91736).

The BitLocker key package is saved in the same AD DS location as the recovery password. You can also export the key package from a working volume. For more details on how to export key packages, see Appendix C: Retrieving the BitLocker Key Package.

TPM information

You can store the TPM owner password in AD DS. However, unlike BitLocker recovery passwords, only one piece of TPM information can be saved per computer. This stored TPM information is also known as the TPM owner authorization, because it allows administrators to perform operations that require the approval of the TPM owner. For example, an administrator can use the TPM owner authorization to clear the TPM on a group of decommissioned computers in a remote network. This type of operation is not possible without the saved TPM information.

For more information about TPM management scenarios, see Windows Trusted Platform Module Management Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=82830).

For more information about writing scripts that work with the TPM, including a list of supported methods that require TPM owner authorization, see the TPM WMI provider documentation (https://go.microsoft.com/fwlink/?LinkId=91734).

For more information about how you can save the TPM information, see Appendix D: Saving the TPM Information.

Appendix A: Delegating Permission

Organizations that use Group Policy to set access control might want to consider delegating permissions to users who are not domain administrators, such as members of the Helpdesk support staff.

Domain administrators can delegate the ability to read BitLocker recovery passwords to users who normally do not have this privilege, or the ability to read stored TPM owner information.

This section describes how to delegate permissions in three steps:

  1. Create a new user group.

  2. Add members to the group (for example, add Helpdesk staff members).

  3. Assign control access and read property permissions to the group.

To create a new user group and add members to the group, see Manage Groups (https://go.microsoft.com/fwlink/?LinkId=91737).

For example, typing the following command from an elevated command prompt creates a global security group called BitLocker Recoverers within the test.contoso.com domain.

dsadd group "cn=BitLocker Recoverers,cn=Users,dc=test,dc=contoso,dc=com" -desc "Users with access to BitLocker recovery passwords stored in Computer objects." -secgrp yes -scope g

You can run a script as a domain administrator to assign control access and read property permissions to a group. For more information about how to use scripts to manage Active Directory security, see Using Scripts to Manage Active Directory Security (https://go.microsoft.com/fwlink/?LinkId=79652).

The following sample script allows a BitLocker Recoverers user group to read the current domain's BitLocker recovery passwords.

To run the following sample scripts

  1. Save each sample script in a VBScript file. For example: DelegateBitLocker.vbs.

  2. Open an elevated Command Prompt window:

    1. Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type a command similar to the following:

    cscript DelegateBitLocker.vbs

Change the first line of the following sample script if you created a user group with a different name, or if you need to refer to user groups in other domains. For example, change "BitLocker Recoverers" to "DOMAIN\Help Desk Staff."

'To refer to other groups, change the group name (ex: change to "DOMAIN\Help Desk Staff")
strGroupName = "BitLocker Recoverers"  

' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants 
' --------------------------------------------------------------------------------

'- From the ADS_ACETYPE_ENUM enumeration
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT      = &H5  'Allows an object to do something

'- From the ADS_ACEFLAG_ENUM enumeration
Const ADS_ACEFLAG_INHERIT_ACE                = &H2  'ACE applies to target and inherited child objects
Const ADS_ACEFLAG_INHERIT_ONLY_ACE           = &H8  'ACE does NOT apply to target (parent) object

'- From the ADS_RIGHTS_ENUM enumeration
Const ADS_RIGHT_DS_CONTROL_ACCESS      = &H100 'The right to view confidential attributes
Const ADS_RIGHT_DS_READ_PROP                 = &H10  ' The right to read attribute values

'- From the ADS_FLAGTYPE_ENUM enumeration
Const ADS_FLAG_OBJECT_TYPE_PRESENT           = &H1  'Target object type is present in the ACE 
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2  'Target inherited object type is present in the ACE 

' --------------------------------------------------------------------------------
' BitLocker schema object GUID's 
' --------------------------------------------------------------------------------

'- ms-FVE-RecoveryInformation object: 
'  includes the BitLocker recovery password and key package attributes
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

'- ms-FVE-RecoveryPassword attribute: 48-digit numerical password
SCHEMA_GUID_MS_FVE_RECOVERYPASSWORD = "{43061AC1-C8AD-4CCC-B785-2BFAC20FC60A}"

'- ms-FVE-KeyPackage attribute: binary package for repairing damages
SCHEMA_GUID_MS_FVE_KEYPACKAGE = "{1FD55EA8-88A7-47DC-8129-0DAA97186A54}"

'- Computer object
SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"

'Reference: "Platform SDK: Active Directory Schema"

' --------------------------------------------------------------------------------
' Set up the ACE to allow reading of all BitLocker recovery information properties
' --------------------------------------------------------------------------------

Set objAce1 = createObject("AccessControlEntry")

objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

objAce1.Trustee = strGroupName
objAce1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS + ADS_RIGHT_DS_READ_PROP
objAce1.InheritedObjectType = SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION

' Note: ObjectType is left blank above to allow reading of all properties

' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

Set objDomain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")

Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
Set objDacl = objDescriptor.DiscretionaryAcl
 
' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------

objDacl.AddAce objAce1

objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo

WScript.Echo "SUCCESS!"

To separate the privileges of reading BitLocker and TPM recovery information, create a different user group that can access TPM owner information. Note that Helpdesk personnel who need access to BitLocker recovery passwords will not typically need access to TPM owner information.

The following sample script allows the TPM Owners user group to read the current domain's TPM owner information:

'To refer to other groups, change the group name (ex: change to "DOMAIN\TPM Owners")
strGroupName = "TPM Owners"

' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants 
' --------------------------------------------------------------------------------

'- From the ADS_ACETYPE_ENUM enumeration
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT      = &H5   'Allows an object to do something

'- From the ADS_ACEFLAG_ENUM enumeration
Const ADS_ACEFLAG_INHERIT_ACE                = &H2   'ACE applies to target and inherited child objects
Const ADS_ACEFLAG_INHERIT_ONLY_ACE           = &H8   'ACE does NOT apply to target (parent) object

'- From the ADS_RIGHTS_ENUM enumeration
Const ADS_RIGHT_DS_CONTROL_ACCESS      = &H100 'The right to view confidential attributes
Const ADS_RIGHT_DS_READ_PROP                 = &H10  ' The right to read attribute values

'- From the ADS_FLAGTYPE_ENUM enumeration
Const ADS_FLAG_OBJECT_TYPE_PRESENT           = &H1   'Target object type is present in the ACE 
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2   'Target inherited object type is present in the ACE 

' --------------------------------------------------------------------------------
' TPM and FVE schema object GUID's 
' --------------------------------------------------------------------------------

'- ms-TPM-OwnerInformation attribute: SHA-1 hash of the TPM owner password
SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"

'- Computer object
SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"

'- msTPM-InformationObject object 
'  includes the OwnerInformation attribute
SCHEMA_GUID_MS_TPM_INFORMATION_OBJECT = "{85045B6A-47A6-4243-A7CC-6890701F662C}" 

'Reference: "Platform SDK: Active Directory Schema" 


' -------------------------------------------------------------------------------
' Set up the ACE to allow reading of TPM owner information
' --------------------------------------------------------------------------------

Set objAce1 = createObject("AccessControlEntry")

objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT + ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

objAce1.Trustee = strGroupName
objAce1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS + ADS_RIGHT_DS_READ_PROP
objAce1.ObjectType = SCHEMA_GUID_MS_TPM_OWNERINFORMATION
objAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER

' ------------------------------------------------------------
' Set up the ACE to allow reading of TPM owner information from new location
' ------------------------------------------------------------

Set objAce2 = createObject("AccessControlEntry") 

objAce2.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objAce2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce2.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

objAce2.Trustee = strGroupName
objAce2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS + ADS_RIGHT_DS_READ_PROP
objAce2.InheritedObjectType = SCHEMA_GUID_MS_TPM_INFORMATION_OBJECT

' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

Set objDomain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")

Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
Set objDacl = objDescriptor.DiscretionaryAcl

 
' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------

objDacl.AddAce objAce1
objDacl.AddAce objAce2

objDescriptor.DiscretionaryAcl = objDacl 
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor) 
objDomain.SetInfo 

WScript.Echo "SUCCESS!" 

Appendix B: Resetting Recovery Passwords

You should invalidate a recovery password after it has been provided and used. Resetting the recovery password is part of resolving the root cause of the recovery.

You can reset the recovery password in two ways:

  • Turn off BitLocker (decrypt) and then turn on (re-encrypt) BitLocker on a volume. Old recovery passwords are removed when decryption completes. The BitLocker setup process creates a new recovery password and prompts the user to save this password.

  • Run a script. You can run a script to reset the password without decrypting the volume. The following sample script illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.

To run the sample recovery password script

  1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.

  2. Open an elevated Command Prompt window:

    1. Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type a command similar to the following:

    cscript ResetPassword.vbs

Important

This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.

Note

To manage a remote computer, you can specify the remote computer name rather than the local computer name.

You can use the following sample script to create a VBScript file to reset the recovery passwords.

' Target drive letter
strDriveLetter = "c:"

' Target computer name
' Use "." to connect to the local computer
strComputerName = "." 


' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
                 
                 
On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)


If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)


If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If


' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next


' objVolume is now our found BitLocker-capable disk volume


' --------------------------------------------------------------------------------
' Perform BitLocker WMI provider functionality
' --------------------------------------------------------------------------------


' Add a new recovery password, keeping the ID around so it doesn't get deleted later
' ----------------------------------------------------------------------------------

nRC = objVolume.ProtectKeyWithNumericalPassword("Recovery Password Refreshed By Script", , sNewKeyProtectorID)

If nRC <> 0 Then
WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' Removes the other, "stale", recovery passwords 
' ----------------------------------------------------------------------------------

nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector

nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)

If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' Delete those key protectors other than the one we just added. 

For Each sKeyProtectorID In aKeyProtectorIDs

If sKeyProtectorID <> sNewKeyProtectorID Then
nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)

If nRC <> 0 Then
WScript.Echo "FAILURE: DeleteKeyProtector on ID " & sKeyProtectorID & " failed with return code 0x" & Hex(nRC)
WScript.Quit -1
Else
' no output
'WScript.Echo "SUCCESS: Key protector with ID " & sKeyProtectorID & " deleted"
End If
End If

Next

WScript.Echo "A new recovery password has been added. Old passwords have been removed."

' - some advanced output (hidden)
'WScript.Echo ""
'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."

Appendix C: Retrieving the BitLocker Key Package

You can use two methods to retrieve the key package, as described in Using Additional Recovery Information:

  • Export a previously-saved key package from AD DS. You must have Read access to BitLocker recovery passwords that are stored in AD DS.

  • Export a new key package from an unlocked, BitLocker-encrypted volume. You must have local administrator access to the working volume, before any damage has occurred.

The following sample script exports all previously-saved key packages from AD DS.

To run the sample key package retrieval script

  1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.

  2. Open an elevated Command Prompt window:

    1. Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At the command prompt, type a command similar to the following:

    cscript GetBitLockerKeyPackageADDS.vbs -?

You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS.

' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------

Sub ShowUsage
   Wscript.Echo "USAGE: GetBitLockerKeyPackageAD [Path To Saved Key Package] [Optional Computer Name]"
   Wscript.Echo "If no computer name is specified, the local computer is assumed."
   Wscript.Echo 
   Wscript.Echo "Example: GetBitLockerKeyPackageAD E:\bitlocker-ad-key-package mycomputer"
   WScript.Quit
End Sub

' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count
  Case 1
    If args(0) = "/?" Or args(0) = "-?" Then
    ShowUsage
    Else 
      strFilePath = args(0)
      ' Get the name of the local computer      
      Set objNetwork = CreateObject("WScript.Network")
      strComputerName = objNetwork.ComputerName      
    End If    
      
  Case 2
    If args(0) = "/?" Or args(0) = "-?" Then
      ShowUsage
    Else 
      strFilePath = args(0)
      strComputerName = args(1)
    End If
  Case Else
    ShowUsage

End Select



' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName) 

    ' Uses the global catalog to find the computer in the forest
    ' Search also includes deleted computers in the tombstone

    Set objRootLDAP = GetObject("LDAP://rootDSE")
    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com    

    strBase = "<GC://" & namingContext & ">"
 
    Set objConnection = CreateObject("ADODB.Connection") 
    Set objCommand = CreateObject("ADODB.Command") 
    objConnection.Provider = "ADsDSOOBject" 
    objConnection.Open "Active Directory Provider" 
    Set objCommand.ActiveConnection = objConnection 

    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))"
    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree" 

    objCommand.CommandText = strQuery 
    objCommand.Properties("Page Size") = 100 
    objCommand.Properties("Timeout") = 100
    objCommand.Properties("Cache Results") = False 

    ' Enumerate all objects found. 

    Set objRecordSet = objCommand.Execute 
    If objRecordSet.EOF Then
      WScript.echo "The computer name '" &  strComputerName & "' cannot be found."
      WScript.Quit 1
    End If

    ' Found object matching name

    Do Until objRecordSet.EOF 
      dnFound = objRecordSet.Fields("distinguishedName")
      GetStrPathToComputer = "LDAP://" & dnFound
      objRecordSet.MoveNext 
    Loop 


    ' Clean up. 
    Set objConnection = Nothing 
    Set objCommand = Nothing 
    Set objRecordSet = Nothing 

End Function


' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------


Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPathToComputer

Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80


' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' --------------------------------------------------------------------------------

' Get all the recovery information child objects of the computer object

Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullString, _
                                   ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

objFveInfos.Filter = Array("msFVE-RecoveryInformation")

' Iterate through each recovery information object and saves any existing key packages

nCount = 1
strFilePathCurrent = strFilePath & nCount

For Each objFveInfo in objFveInfos

   strName = objFveInfo.Get("name")

   strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
   strKeyPackage = objFveInfo.Get("msFVE-KeyPackage")

   WScript.echo 
   WScript.echo "Recovery Object Name: " + strName 
   WScript.echo "Recovery Password: " + strRecoveryPassword

   ' Validate file path
   Set fso = CreateObject("Scripting.FileSystemObject")

   If (fso.FileExists(strFilePathCurrent)) Then
 WScript.Echo "The file " & strFilePathCurrent & " already exists. Please use a different path."
WScript.Quit -1
   End If

   ' Save binary data to the file
   SaveBinaryDataText strFilePathCurrent, strKeyPackage
   
   WScript.echo "Related key package successfully saved to " + strFilePathCurrent


   ' Update next file path using base name
   nCount = nCount + 1
   strFilePathCurrent = strFilePath & nCount

Next


'----------------------------------------------------------------------------------------
' Utility functions to save binary data 
'----------------------------------------------------------------------------------------

Function SaveBinaryDataText(FileName, ByteArray)
  'Create FileSystemObject object
  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
  
  'Create text stream object
  Dim TextStream
  Set TextStream = FS.CreateTextFile(FileName)
  
  'Convert binary data To text And write them To the file
  TextStream.Write BinaryToString(ByteArray)
End Function

Function BinaryToString(Binary)
  Dim I, S
  For I = 1 To LenB(Binary)
    S = S & Chr(AscB(MidB(Binary, I, 1)))
  Next
  BinaryToString = S
End Function

WScript.Quit

The following sample script exports a new key package from an unlocked, encrypted volume.

To run this script, start by saving the code into a VBS file (for example, GetBitLockerKeyPackage.vbs). Then, open an administrator command prompt and use “cscript” to run the saved file (for example, type "cscript GetBitLockerKeyPackage.vbs  -?").



' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------

Sub ShowUsage
   Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Saved Key Package]"
   Wscript.Echo 
   Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
   WScript.Quit
End Sub

' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count
  Case 2
    If args(0) = "/?" Or args(0) = "-?" Then
      ShowUsage
    Else 
      strDriveLetter = args(0)
      strFilePath = args(1)
    End If
  Case Else
    ShowUsage

End Select

' --------------------------------------------------------------------------------
' Other Inputs
' --------------------------------------------------------------------------------

' Target computer name
' Use "." to connect to the local computer
strComputerName = "." 

' Default key protector ID to use. Specify "" to let the script choose.

strDefaultKeyProtectorID = ""

' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}"  ' sample 


' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
                 
                 
On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)


If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)


If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If


' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next


' objVolume is now our found BitLocker-capable disk volume


' --------------------------------------------------------------------------------
' Perform BitLocker WMI provider functionality
' --------------------------------------------------------------------------------


' Collect all possible valid key protector ID's that can be used to get the package
' ----------------------------------------------------------------------------------

nNumericalKeyProtectorType = 3 ' type associated with "Numerical Password" protector

nRC = objVolume.GetKeyProtectors(nNumericalKeyProtectorType, aNumericalKeyProtectorIDs)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

nExternalKeyProtectorType = 2 ' type associated with "External Key" protector

nRC = objVolume.GetKeyProtectors(nExternalKeyProtectorType, aExternalKeyProtectorIDs)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If


' Get first key protector of the type "Numerical Password" or "External Key", if any
' ----------------------------------------------------------------------------------

if strDefaultKeyProtectorID = "" Then

' Save first numerical password, if exists
If UBound(aNumericalKeyProtectorIDs) <> -1 Then
strDefaultKeyProtectorID = aNumericalKeyProtectorIDs(0)
End If

' No numerical passwords exist, save the first external key
If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorIDs) <> -1 Then
strDefaultKeyProtectorID = aExternalKeyProtectorIDs(0)
End If 

' Fail case: no recovery key protectors exist. 
If strDefaultKeyProtectorID = "" Then
WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""."
WScript.Quit -1
End If

End If

' Get some information about the chosen key protector ID
' ----------------------------------------------------------------------------------

' is the type valid?

nRC = objVolume.GetKeyProtectorType(strDefaultKeyProtectorID, nDefaultKeyProtectorType)

If Hex(nRC) = "80070057" Then
WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " is not valid."
WScript.Echo "This ID value may have been provided by the script writer."
ElseIf nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectorType failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' what's a string that can be used to describe it?

strDefaultKeyProtectorType = ""

Select Case nDefaultKeyProtectorType 

  Case nNumericalKeyProtectorType
      strDefaultKeyProtectorType = "recovery password"

  Case nExternalKeyProtectorType
      strDefaultKeyProtectorType = "recovery key"

  Case Else
      WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " does not refer to a valid recovery password or recovery key."
      WScript.Echo "This ID value may have been provided by the script writer."

End Select


' Save the backup key package using the chosen key protector ID
' ----------------------------------------------------------------------------------

nRC = objVolume.GetKeyPackage(strDefaultKeyProtectorID, oKeyPackage)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyPackage failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' Validate file path
Set fso = CreateObject("Scripting.FileSystemObject")
If (fso.FileExists(strFilePath)) Then
WScript.Echo "The file " & strFilePath & " already exists. Please use a different path."
WScript.Quit -1
End If

Dim oKeyPackageByte, bKeyPackage
For Each oKeyPackageByte in oKeyPackage
  'WScript.echo "key package byte: " & oKeyPackageByte
  bKeyPackage = bKeyPackage & ChrB(oKeyPackageByte)
Next

' Save binary data to the file
SaveBinaryDataText strFilePath, bKeyPackage

' Display helpful information
' ----------------------------------------------------------------------------------

WScript.Echo "The backup key package has been saved to " & strFilePath & "."

WScript.Echo "IMPORTANT: To use this key package, the " & strDefaultKeyProtectorType & " must also be saved."

' Display the recovery password or a note about saving the recovery key file

If nDefaultKeyProtectorType = nNumericalKeyProtectorType Then

nRC = objVolume.GetKeyProtectorNumericalPassword(strDefaultKeyProtectorID, sNumericalPassword)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectorNumericalPassword failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
WScript.Echo "Save this recovery password: " & sNumericalPassword

ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?"""
End If


'----------------------------------------------------------------------------------------
' Utility functions to save binary data 
'----------------------------------------------------------------------------------------

Function SaveBinaryDataText(FileName, ByteArray)
  'Create FileSystemObject object
  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
  
  'Create text stream object
  Dim TextStream
  Set TextStream = FS.CreateTextFile(FileName)
  
  'Convert binary data To text And write them To the file
  TextStream.Write BinaryToString(ByteArray)
End Function

Function BinaryToString(Binary)
  Dim I, S
  For I = 1 To LenB(Binary)
    S = S & Chr(AscB(MidB(Binary, I, 1)))
  Next
  BinaryToString = S
End Function

Appendix D: Saving the TPM Information

A TPM owner authorization value saved in AD DS associates a specific computer with a TPM. The TPM owner authorization value must be supplied to approve the TPM owner password saved in AD DS.

To use the TPM owner authorization value from a specific computer, you must first retrieve this value from Active Directory. You can retrieve TPM owner information by viewing the ms-TPM-OwnerInformation attribute of a computer object in AD DS, or you can create a script that accesses and records this attribute.

The following is a sample TPM owner authorization value:

FNVWzNOmxCtHeLWDYeRobK85VDg=

You can use this value directly within a script, or you can choose to save this information to a file that can be used with the TPM Management snap-in (TPM.msc).

The wizards in the TPM Management console are designed to accept a TPM owner authorization in the form of a backup file containing the TPM owner password.

Note

You cannot type the TPM owner authorization value. However, you can use this information to create a TPM owner password file.

You can use the following sample TPM owner password file as a template for creating a new file with a different owner authorization value:

To run the sample script

  1. Save the following sample script in a VBScript file. For example: tpmOwnerData.vbs.

  2. Open an elevated Command Prompt window:

    1. Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. At an elevated command prompt, type a command similar to the following:

    cscript tpmOwnerData.vbs -?

<?xml version="1.0" encoding="UTF-8"?>
<!--
This page is a backup of TPM (Trusted Platform Module) owner
authorization information. Upon request, use the authorization information to
prove ownership of the computer's TPM.
Please keep this file in a secure location away from your computer's local hard drive.
-->
<tpmOwnerData version="1.0" softwareAuthor="Microsoft Windows [Version 6.0.5461]" creationDate="2006-07-09T17:41:27-08:00" creationUser="DOMAIN\employee" machineName="EMPLOYEE-PC">
<tpmInfo manufacturerId="1112687437"/>
<ownerAuth>FNVWzNOmxCtHeLWDYeRobK85VDg=</ownerAuth>
</tpmOwnerData>

Note

This sample file includes the TPM owner authorization value between the <ownerAuth> and </ownerAuth> elements. Other values are included for information purposes only, and are not validated by the TPM Management console.