,
This guide contains step-by-step instructions on how to force Windows to automatically store BitLocker recovery keys and passwords to Active Directory (AD), on any domain computer you enable the BitLocker protection.
If you want to protect your domain laptops and desktop PCs from unauthorized access, e.g. in case of theft, a good practice is to enable BitLocker encryption on all such computers, especially those used outside of your premises.
But since manually managing BitLocker recovery keys in a business environment is difficult, in this guide we’ll see how you can force Windows to back up recovery keys and passwords to AD when you enable the BitLocker protection on a domain-joined computer, and how to view BitLocker data (ID & Password) in AD when required. This process ensures that recovery keys are stored securely, making them easily accessible to administrators when needed.
How to Automatically Back up BitLocker Recovery Keys & Passwords to Active Directory.
To automatically save the BitLocker recovery keys/passwords to Active Directory (AD):
Part 1. Configure Active Directory to Store BitLocker Data.
Step 1. Install BitLocker Drive Encryption Features.
1. On AD Domain Server, open Server Manager and click Add Roles and features.
2. Select Role-based or feature based installation and click Next.
3. At ‘Server Selection’ options, select your Domain Server and click Next.
4. Click Next at Server Roles.
5a. On Features window, select the BitLocker Drive Encryption and…
5b. …then select Add features to install all features required for BitLocker drive encryption along with management tools.
5c. Click Next again to proceed.
6. Finally click Install to install the BitLocker Drive Encryption features.
8. When the feature installation is completed, click Finish and restart the server.
Step 2. Create a new GPO to Store BitLocker keys in AD.
After performing the above steps, proceed to configure Active Directory to automatically backup the BitLocker keys/passwords from domain computers to AD, via a Group Policy.
1. Open Server Manager and from the Tools menu open the Group Policy Management.
2. In Group Policy Manager, either edit the default domain policy or create a new Group Policy for the entire domain or just for the OU that contains the Computers you want to store BitLocker keys in AD.*
* Note: In this example we create a new GPO for the “Workstations” OU which contains all the domain computers where the BitLocker encryption is enabled.
3. Right-click and select Create a GPO in this domain, and Link it here…
4. Name the new GPO as “Store BitLocker keys in Active Directory” and click OK.
5. Now Edit the created GPO.
6a. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption.
6b. Now open the Store BitLocker Recovery information in Active Directory Domain Services policy.
6c. Set the policy to Enabled, leave the default options Require BitLocker backup to AD DS & Recovery passwords and key packages selected, and click Apply > OK.
7a. Then, go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
7b. Open the policy Choose how BitLocker-protected system drives can be recovered.
7c. Enable the policy and then check the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. When done, click OK.
8. Close all the Group Policy Management windows.
9. Finally, open Command Prompt as Administrator and give the following command to apply the new policy in both the server and the workstations (or restart the workstations):
- gpupdate /force
Step 3. Turn On BitLocker on Workstations.
If you haven’t already enabled BitLocker on client computers, do the following:*
* Note: If you have already enabled BitLocker on clients, then follow the steps in this guide to manually backup the recovery keys and passwords in AD: How to Store Manually the BitLocker keys in Active Directory (AD).
1. Login to client machines, with a user that have Local Administrator rights on the machine.
2. Navigate to Control Panel and open BitLocker Drive Encryption.
3. Click Turn On BitLocker next to C: drive (aka “OS drive”), and follow the on-screen instructions to encrypt it.
4. A message will now appear telling you if you’re ready to encrypt the drive. At this point, check the Run BitLocker system check box and click Continue to ensure that the machine can read the recovery data before encrypting the drive. Then, click Restart now.
5. After restarting, Windows will start encrypting the drive and the BitLocker Recovery key and password will be automatically stored automatically in AD.
6. Finally, proceed to verify that the recovery key and password are stored on the computer’s object in AD by following the instructions below.
Part 2. View BitLocker Recovery Keys and Passwords in AD (Active Directory).
After applying the above steps, you’ll be able to retrieve the stored BitLocker keys in AD, using one of the following ways:
A. Using Computer Properties in Active Directory.
1. Open Active Directory Users and Computers.
2. Right-click on the computer object that you want to view the stored recovery key and choose Properties.
3. Then select the BitLocker Recovery tab to see the Recovery ID and the Recovery Password under the ‘Details’ field.
B. Using ‘Find BitLocker Password’ option.
If you know the Recovery ID (identifier):
1. Open Active Directory Users and Computers.
2. Right-click on the domain name and select Find BitLocker Password.
3. Type the first eight (8) characters of the Recovery ID of the computer that you want to see the BitLocker recovery key and click Search.
That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.