BitLocker, MBAM and Data Recovery Agents (DRA)

I’ve been using the Microsoft BitLocker Administration and Monitoring (MBAM) software from the Microsoft Desktop Optimization Pack (MDOP) for the past couple of years and I love it. It makes enforcement, reporting and key recovery for systems fairly simple once the pre-requisites have been met (i.e. TPM Enabled and Activated). In this post, I’ll be discussing a lesser known method of securing your BitLocker encrypted drives with Data Recovery Agents (DRA).

Data Recovery Agents – What are they?

A Data Recovery Agent, or DRA, is an account typically based on a Smart Card or Certificate which can be used for Encrypting and Decrypting a file or folder (EFS) or an entire drive (BitLocker). In our case we will be discussing a BitLocker DRA.

Why would I use a Data Recovery Agent when I have BitLocker

Honestly, most people don’t. MBAM already handles key escrow, enforcement, key recovery and reporting for the BitLocker environment and does a very good job at it. However, I’ve seen a few issues during implementation that prompted me to take a closer look at managing our overall BitLocker environment, outside of just what MBAM provides. Here are a couple of scenarios I’ve seen which has caused us issues in recovering drives:

  • MBAM cycles a new key but escrow back to the server fails.
  • Helpdesk or end user manually encrypts drives with BitLocker but MBAM doesn’t get installed.

There may be other instances in which MBAM is unable to escrow keys however the above were the ones I saw most. So, just how do we solve this issue? There are numerous ways we could look at this from a process perspective, but I want to reduce the amount of human error and interaction wherever possible. Some ideas are:

  • Required deployment of MBAM to all systems – This could cause unwanted prompts for compliance on end user systems and doesn’t solve issues where MBAM simply fails to connect back to the server.
  • Store everything in Active Directory – Again, you still need a connection to AD for this and in a large environment this can significantly increase the size of your DB (your AD team may not like this).
  • Implement processes for your Help Desk to validate that keys are being escrowed – This becomes cumbersome and unsustainable.

By implementing a BitLocker Data Recovery Agent, you always have an additional recovery method available just in case MBAM either isn’t there or (gasp!) fails to properly escrow a key. I use this as my failsafe, my life preserver, my backup because telling a user, manager or heaven forbid an executive that their data is lost because something “just went wrong” (and they forgot to make a backup or stopped the backup software) is not the most pleasant part of our job.

How do I create a BitLocker Data Recovery Agent

I’ll be the first to admit this, but I’m not well versed at managing a PKI infrastructure so instead of diving into the details and (possibly) getting it wrong, I’d suggest you reach out to your PKI team and request a certificate that can be used as a Data Recovery Agent for BitLocker. What they should provide you is two certificate files. A public .CER certificate which will be deployed to all your systems, and a private .PFX certificate which allows you to decrypt systems that were encrypted and have the DRA installed.

Setting up the BitLocker Data Recovery Agent

To configure and deploy the BitLocker Data Recovery Agent, we will leverage Group Policy. I use the same GPO that I use for configuring MBAM. The following steps will guide you in setting up your BitLocker DRA Certificate and other required/recommended settings for using a BitLocker DRA.

1 Edit the Group Policy Object that will apply to client machines.  
2 Expand Computer Configuration > Policies > Administrative Templates > Windows Components> BitLocker Drive Encryption  
3 Enable the setting Provide the unique identifiers for your organization. For BOTH the BitLocker identification field and Allowed BitLocker identification field use ‘MyCompany‘.

NOTE: The value you enter here is CASE SENSITIVE! Make sure it’s typed EXACTLY the same in both locations.

4 Expand Computer Configuration > Policies > Administrative Templates > Windows Components> BitLocker Drive Encryption >Fixed Data Drives  
5 Enable the policy Choose how BitLocker-protected fixed drives can be recovered and configure it EXACTLY as shown in the screenshot

Perform the same steps for Operating System Drives and Removable Data Drives

6 Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption


Right-Click it and select Add Data Recovery Agent

7 On the Welcome screen of the Add Recovery Agent Wizard, click Next.  
8 Click on the Browse Folders button and select the exported Certificate retrieved from your CA. (Make sure this is a .CER file which only contains the Public Key and NOT the .pfx file which contains the private key)
9 Click Next and Finish the wizard. You should then see the certificate of the DRA is listed.

http://technet.microsoft.com/en-us/library/dd875560(v=WS.10).aspx

Conclusion

This post concludes with you (hopefully) having a BitLocker DRA certificate installed in your environment which should provide you with an additional recovery method for your BitLocker encrypted drives. If you haven’t quite gotten that ‘warm and fuzzy’ feeling yet, stay tuned for my follow-up article on Using a BitLocker Data Recovery Agent to unlock a BitLocker encrypted drive.

Advertisements

Author: dhedges

I'm a Senior Client Systems Engineer specializing in OS Deployments and Automation using VBScript, PowerShell, MDT and SCCM. I enjoy working with technology and bending it to my will.

1 thought on “BitLocker, MBAM and Data Recovery Agents (DRA)”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s