Configure Active Directory to Store BitLocker Recovery Keys

In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the recovery keys for encrypted drives in the Active Directory Domain Services (AD DS).

BitLocker recovery key is a 48 and/or 256-bit sequence, which is generated during BitLocker installation. When number of the computers in company network is not very large, Administrator can monitor the keys and passwords manually. But in case when number of machines on the network is more than 100, this task becomes much more complicated.

Configure AD to Store BitLocker Recovery Keys

Group policies (GPO) allows you to configure BitLocker so that backups of BitLocker keys and recovery passwords are stored in computer object in the Active Directory. Each BitLocker recovery object has unique name and contains a globally unique identifier for the recovery password and optionally a package containing a key. If computer object in Active Directory stores several recovery passwords, the name of data object will contain the date of the creation of a password. Name of the BitLocker recovery object is limited to 64 characters, so the original should be allowed a 48-bit password.

Active Directory requirements for using with BitLocker

BitLocker recovery data storage feature is based on the extension of the Active Directory schema, bringing additional attributes. To verify if your version of AD schema has attributes that are required to store BitLocker keys in AD, execute following command:

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}

There should be 5 following attributes:

  • ms-FVE-KeyPackage
  • ms-FVE-RecoveryGuid
  • ms-FVE-RecoveryInformation
  • ms-FVE-RecoveryPassword
  • ms-FVE-VolumeGuid
READ ALSO  Installing Active Directory Snap-in on Windows 10

powershell searchbase

Starting from Windows Server 2008, this extension is available by default, it is still require additional configuration for further functioning. In schema version of Windows Server 2012 and higher, this functionality works “out of the box”. The same is applicable on the computers running following versions of Windows Server 2016.

Let us consider how to configure Active Directory to store BitLocker recovery information.

Tip. In Windows Server 2012/2008 BitLocker appears as a BitLocker Drive Encryption feature (not like the client OS). This feature can be installed from Server Manager console or using PowerShell:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

roles features bitlocker

Configuring GPO to save Bitlocker Recovery data in AD

  1. Using the Group Policy Management console (GPMC.msc) create a new GPO and link it to the root of the domain or OU, that contains the PCs for which the BitLocker Recovery Password should be kept in AD.
  2. Right click on this GPO and select Edit.
  3. Expand Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption and edit policy Store Bitlocker Recovery information in Active Directory Domain Services.
    gpo bitlocker
  4. Enable this policy and configure it as follows: Require BitLocker backup to AD DS: Enable, Select BitLocker recovery information to store: Recovery passwords and key packages (You can only save in AD the password or password and recovery key together).
    recovery bitlocker
  5. Depending on what drives you want to encrypt, select one of the following sections present under BitLocker Drive Encryption:
  • Fixed Data Drives
  • Operating System Drives
  • Removable Data Drives
  1. For example, we want to store recovery keys for removable drives. Go to the section Removable Data Drives and find policy Choose how BitLocker-protected removable drives can be recovered
    editor bitlocker
  2. Enable the policy and check the options Save BitLocker recovery information to Active Directory Domain Services and Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (when user tries to encrypt a new USB device at the time it’s not connected to corporate network, he will receive an error message).adds bitlocker
  3. Update policy on a clients: gpupdate /force
  4. Turn On BitLocker on the selected drives of your PC. BitLocker recovery key and password from this PC are automatically copied to the Active Directory.
READ ALSO  Windows Administrator Account Guide

Tip. If drive encryption with BitLocker was configured on some PCs earlier, just disable and enable BitLocker, or copy the recovery key to the Active Directory manually using the manage-bde tool.

Get current BitLocker ID for the volume:

manage-bde -protectors -get e:

Copy the information to AD by specifying ID obtained on the previous step:

manage-bde -protectors -adbackup e: -id '{DAB438E6-8B5F-4BDA-9273-C1654B49C717E}'

How to find BitLocker Recovery Password in Active Directory

You can find information about available recovery keys for each computer on the tab “BitLocker Recovery”, located in the property page of computer account in «Active Directory Users and Computers” snap in.

passwords bitlocker

You can also use the tool BitLocker Recovery Password Viewer, included in Remote Server Administration Tools Microsoft Remote Server Administration Tools (RSAT) for the search of BitLocker recovery keys.

viewer bitlocker

After installation of BitLocker Recovery Password Viewer feature, you can search recovery keys directly from ADUC console. To do this, go to the root of domain and select Action -> Find BitLocker recovery password.

find bitlocker

You may also like:

Deploy Local GPO with MDT 2013 Local Group Policy of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That's why ...
Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Boot Straight to the Desktop in Windows 8.1 Boot Straight to the Desktop With the release of Windows 8.1 you now have the option available to you to boot straight to the desktop instead of Metr...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...