Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Storing BitLocker Recovery Keys in Active Directory

February 27, 2023

Storing BitLocker Recovery Keys in Active Directory

You can use Active Directory to securely store backups of BitLocker recovery keys (passwords) from client computers. It is very convenient if you have multiple users using BitLocker to encrypt their data. You can configure Group Policies in your domain so that when encrypting any drive with BitLocker, the computer will save the recovery key in its computer object account in AD (like storing a local computer administrator password generated using LAPS).

To configure storing BitLocker keys in Active Directory, your infrastructure must meet the following requirements:

  • Client computers running Windows 10 or Windows 8.1 with Pro and Enterprise editions;
  • AD schema version: Windows Server 2012 or higher;
  • Your GPO ADMX files must be updated to the latest versions.

Contents:
  • How to Configure Group Policy to Store BitLocker Recovery Keys in AD?
  • How to View and Manage BitLocker Recovery Keys in Active Directory?

How to Configure Group Policy to Store BitLocker Recovery Keys in AD?

To automatically save (backup) BitLocker recovery keys to the Active Directory domain, you need to configure a special GPO.

  1. Open the Domain Group Policy Management console (gpmc.msc), create a new GPO and link it to an OU with the computers you want to enable automatic BitLocker key saving in AD;
  2. Go to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption;
  3. Enable the Store BitLocker recovery information in Active Directory Domain Services policy with the following settings: Require BitLocker backup to AD DS and Select BitLocker recovery information to store: Recovery passwords and key packages; GPO: Store BitLocker recovery information in Active Directory Domain Services
  4. Then go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives and enable the policy Choose how BitLocker-protected operating system drives can be recovered. Note that it is recommended to check Do not enable BitLocker until recovery information is stored to AD DS for operating system drives. If you check the option, BitLocker will not start drive encryption until the computer saves a new recovery key in AD (if you are a mobile user, you will have to wait for the next connection to the domain network);
  5. In our case, automatic saving of a BitLocker key is enabled for the operating system drive. If you want to save BitLocker recovery keys for external media devices or other drives, configure a similar policy in these GPO sections: Fixed Data Drives and Removable Data Drives; Group Policy to save BitLocker recovery keys to Active Directory
  6. Update Group Policy settings on the clients: gpupdate /force
  7. Encrypt the system drive of your computer running Windows 10 Pro using BitLocker (Turn BitLocker on); turn on BitLocker for a system drive
  8. Windows 10 will save the BitLocker recovery key for the computer in Active Directory and encrypt the drive.
    You may have multiple BitLocker recovery passwords for a single computer (for example, for different removable devices).

If a computer disk is already encrypted using BitLocker, you can manually sync in AD. Run the command:

manage-bde -protectors -get c:

Copy the Numerical Password ID value (for example, 22A6A1F0-1234-2D21-AF2B-7123211335047).

Run the command below to save the recovery key to the current computer’s AD account:

manage-bde -protectors -adbackup C: -id {22A6A1F0-1234-2D21-AF2B-7123211335047}

You will see this message:

Recovery information was successfully backed up to Active Directory
Or you can backup the BitLocker recovery key for your system drive to Active Directory using PowerShell:

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

How to View and Manage BitLocker Recovery Keys in Active Directory?

To manage BitLocker recovery keys from the Active Directory Users and Computers snap-in (ADUC, dsa.msc), you must install the Remote Server Administration Tools (RSAT).

In Windows Server, you can install the BitLocker Drive Encryption Administration Utility feature using Server Manager (it contains BitLocker Drive Encryption Tools and BitLocker Recovery Password Viewer) .

RSAT install BitLocker Drive Encryption Administration Utility

Or you can install these Windows Server features using PowerShell:

Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt, RSAT-Feature-Tools-BitLocker-RemoteAdminTool, RSAT-Feature-Tools-BitLocker

powershell install BitLocker Active Directory tools

In Windows 10 you have to install RSAT-Feature-Tools-BitLocker from RSAT.

Now, if you open the properties of any computer in the ADUC console, you will see a new BitLocker Recovery tab.

Here you can view when a password was created, get the Password ID and the BitLocker recovery key.

View BitLocker recovery password in ADUC console

Then if a user forgets his BitLocker password, he can tell the first 8 symbols of the recovery key displayed on the computer screen to the administrator, and the administrator can find the recovery key of the computer in ADUC using Action —> Find BitLocker recovery password and tell it to the user. The recovery password (48-digit number) will help to unlock a Bitlocker-protected drive.

Windows shows recovery key id on startup

find BitLocker recovery password in Active Directory by key ID

By default, only domain administrators can view BitLocker recovery keys. In Active Directory, you can delegate permissions to view BitLocker recovery keys in a specific OU to any user group. To do it, delegate the permission to view msFVE-RecoveryInformation attribute value.

So, in this article, we have shown how to configure an automatic backup of BitLocker recovery keys in Active Directory. If a user forgets the BitLocker password, you can get it and restore access to the data on the user’s device.

If the BitLocker system information area of the hard drive is damaged, you can try to decrypt the data according to this article.
2 comments
6
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows 10Windows Server 2019
previous post
Configuring Kerberos Token Size Using the MaxTokenSize Parameter
next post
Fine-Grained Password Policy in Active Directory

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

Checking Active Directory Domain Controller Health and Replication

May 15, 2025

Troubleshooting: Group Policy (GPO) Not Being Applied to...

March 15, 2024

Display System Info on Desktop with BGInfo

February 6, 2025

Configuring Proxy Settings on Windows Using Group Policy...

February 27, 2023

2 comments

cube07 January 9, 2022 - 8:49 pm

Backup to AD – powershell cmd Backup-BitLockerKeyProtector not BackupToAAD.. 🙂

Reply
Bereeco May 1, 2024 - 1:10 am

For anyone getting powershell ERROR: Parameter “-ID” requires an argument
Powershell requires quotes around the ID value:
manage-bde -protectors -adbackup C: -id “{22A6A1F0-1234-2D21-AF2B-7123211335047}”

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top