How to Store BitLocker Recovery Keys in Active Directory

How to Store BitLocker Recovery Keys in Active Directory

BitLocker is a powerful and easy-to-use encryption solution offered by Microsoft Windows to secure your hard drives. It comes already installed in newer versions of Windows Server and is accessible to users of Windows 7 Pro, Enterprise, and later editions.

In corporate settings, storing the BitLocker recovery keys in Active Directory is often advised for enhanced convenience and security. This ensures that the keys are easily accessible when needed and provides an extra layer of protection for your encrypted data.


Store BitLocker recovery keys in AD

One of the benefits of storing BitLocker in Active Directory is the convenience of having access to the recovery keys for all computers and laptops whenever needed. This eliminates the need for manual documentation, which can be prone to errors and potential loss of important information.


By utilizing this feature, BitLocker automatically saves the recovery keys in Active Directory. You must create a new group policy object and apply it to the computers you want to protect. This ensures that the recovery keys are securely stored and easily retrievable, providing a streamlined and efficient process for managing BitLocker encryption.

The following guidelines are of interest:

  1. Determine how BitLocker-protected operating system drives can be recovered
    (Computer Configuration – Adm. Templates – Windows Components – BitLocker Drive Encryption – Operating System Drives)
    BStore itLocker recovery information in Active Directory Domain Services
    (Computer Configuration – Adm. Templates – Windows Components – BitLocker Drive Encryption)
  How to Rename a File on Windows and Mac

Configure group policies

For all current operating systems (from Server 2012 or Windows 7) it is sufficient to use the “Determine how BitLocker-protected operating system drives can be recovered and select the following two options:

  • Store BitLocker recovery information for operating system drives in AD DS.
  • Enable BitLocker only after OS drive recovery information is stored in AD DS.

This ensures that the BitLocker recovery keys of all system hard drives are transferred to the Active Directory. In addition, with the second option, you protect yourself from BitLocker being activated without the information being saved (e.g. in the event of a disconnection).

You can also create this policy for additional hard disk drives or removable media (see subfolders of Computer Configuration – Adm. Templates – Windows Components – BitLocker Drive Encryption).

If you are still using older operating systems (Server 2008 or even Windows Vista), you must follow the guideline “BStore itLocker recovery information in Active Directory Domain Services“ activate. to be made there. The settings are similar, as the following picture shows:

  How to Fix error message 0x8007054b Event ID 15 "Certificate Enrollment...".

Activate BitLocker after rolling out the group policy

You must only distribute the group policy you created to the organizational units with the relevant devices. From now on, all new BitLocker recovery keys are stored in Active Directory. You can tell by clicking “Next” when prompted to save the key without first saving the recovery key to a data medium or printing it out.

Necessary: You can still save or print the recovery key in all cases.

Save existing BitLocker keys in AD.

Unfortunately, the above settings only apply to new BitLocker encryption. The recovery keys from hard drives that have already been encrypted are not automatically transferred. However, they can be transferred manually quite quickly.

You have to open an administrative PowerShell console or command prompt on the respective client and run the following two commands (in this example for the system drive):

manage-bde -protectors -get c:

This query provides you with the “ID for the numeric password” – you need this in the second step. There the password of this ID is transferred to the Active Directory with the parameter -adbackup:

manage-bde -protectors -adbackup c: -id "{ID des numerischen Kennwortes}"

The screenshot below shows what it all looks like in practice. When reading the ID (step 1) we get the ID {05296A47-B528-43C9-9E1C-FE6ACBFE2538}. This must be entered in step 2, and we already get the result: “The recovery information was saved in Active Directory.”

  How to Add Themes in Microsoft Edge

Query recovery key in AD

Now, while we can store all BitLocker recovery keys in Active Directory, how do we retrieve them? All you have to do is install the relevant management tools.

So you have on every server from which you want to access the BitLocker keys (usually the domain controller) and the BitLocker Drive Encryption administration utilities to install. There you mark both options and start the installation. A restart of the server is not necessary.

After the installation, you will find an additional tab for all computer objects in the Active Directory named “BitLocker recovery“. All the information, including the recovery password, is there.

Storing BitLocker recovery keys in Active Directory is a straightforward solution that offers enhanced protection against the risk of losing crucial information. You can ensure easy access whenever necessary by automatically and securely storing all the keys in a centralized location.

This streamlined approach adds a layer of security and convenience, giving you peace of mind knowing that your BitLocker recovery keys are safely stored and readily available when needed.

Rohit is a certified Microsoft Windows expert with a passion for simplifying technology. With years of hands-on experience and a knack for problem-solving, He is dedicated to helping individuals and businesses make the most of their Windows systems. Whether it's troubleshooting, optimization, or sharing expert insights,