How do I configure Active Directory to store BitLocker recovery information?

Tags directory

You can configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS).

Recovery information includes the recovery password for each BitLocker-protected drive, the TPM owner password, and the information required to identify which computers and drives the recovery information applies to.

The first step, adding the BitLocker Recovery Password Viewer to the domain controllers, has already been completed for you.  All that you'll need to do is to email and let us know which organizational unit (OU) contains the computers that you'll be encrypting and which group of users you'd like to have access to the stored bitlocker keys so that we can delegate the authority to non-domain administrators to view the recovery keys of the computer objects in that OU.  After that's done, you'll need to set the proper group policy settings to configure the computers to back up the recovery information.

GPO Settings:

1.  Open "Group Policy Management".

2.  Navigate the the GPO that's linked to the OU that you want to contain your settings for Bitlocker.

3.  Right click on the GPO and select "Edit"

4. Navigate to Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption.

Group Policy management editor

5.  Double Click on "Store Bitlocker Recovery information in Active Directory Domain Services" and configure it as follows:

Store Bitlocker recovery information in Active Directory Domain Services

6.  Click "OK".

7.  Under Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption, click on the appropriate folder for your configuration.  In this example, I'm configuring bitlocker to encrypt the OS drive.

Bitlocker configuration

8.  Double click on "Require additional authentication at startup" and configure your settings as follows:

Require additional authentication at startup

NOTE:  "Allow Bitlocker without a compatible TPM" need only be checked if at least one of the computers that you're encrypting do not have a trusted platform module.

9.  Click "OK".

10.  Double click on "Choose how Bitlocker-protected operating system drives can be recovered" and configure it as follows:

Bitlocker protected operating system

11.  Click "OK".

12.  Navigate to Computer Configuration->Policies->Administrative Templates->System->Trusted Platform Module and set "Turn on TPM backup to Active Directory Domain Services" to "Enabled".

13.  Click "OK".

NOTE:  Only machines that have downloaded the updated group policies and were encrypted after the group policy has been applied to the machine will have their recovery information stored in Active Directory.  To ensure that the newly configured group policy settings are applied, please reboot the machine prior to encrypting and/or run "gpudate /force" from a command line on that machine.   If a machine has already been encrypted, you can force it to store its information in Active directory by opening up powershell and typing manage-bde -protectors -get c: to get its bitlocker information and then typing manage-bde -protectors -adbackup c: -id  '{<numerical password ID>}'


Article ID: 1531
Tue 1/19/21 9:27 PM
Thu 10/20/22 2:17 PM