,
If after applying a group policy to automatically store BitLocker keys in Active Directory, you find that for some computers the BitLocker recovery key and password is not stored in AD, continue reading bellow to learn how to backup BitLocker keys manually to AD.
As you may know, managing BitLocker recovery keys in a business environment can be a challenge, but fortunately, as explained in a previous guide, you can force Windows to store BitLocker recovery keys to Active Directory (AD) automatically.
However, you may find that while you have correctly followed the steps to automatically store the key in AD, some computers have not had their recovery keys and passwords stored in Active Directory.
This issue typically occurs when you have enabled BitLocker before setting the Group Policy to back up BitLocker recovery data to AD, before you joining the computer to the domain, or if the machine cannot communicate with the domain.
So, in this tutorial we show how you can manually back up the BitLocker recovery keys to Active Directory on the affected computers, without having to decrypt and encrypt them from scratch.
How to Manually Back up BitLocker Keys & Passwords to AD (Active Directory).*
* Attention: Before continuing below, please ensure that you have correctly followed the steps in this guide to configure AD to automatically back up your BitLocker keys/passwords to AD.
1. On the domain machine you want to manually backup the BitLocker recovery data on AD, login with a user with Local Admin rights.
2. Open Command Prompt as Administrator and issue the following command to view the BitLocker Recovery ID and Password.*
- manage-bde -protectors -Get C:
* Info: The above command shows the recovery data (ID & Password) on the main drive “C:”
3. From the results, highlight the Numerical Password ID* is displayed with the {} brackets, press CTRL +V and copy it in the Notepad.
* eg in this example: {71A465B0-E2BB-4091-B889-2A72DE3121C3}
4. Then, issue the below command to force Windows to backup the BitLocker recovery key (ID) and password to AD:
- manage-bde -protectors -adbackup c: -id {Numerical Password ID}
* eg in this example:
- manage-bde -protectors -adbackup c: -id {71A465B0-E2BB-4091-B889-2A72DE3121C3}
5. After the recovery information is successfully backed up to active directory, navigate to computer’s properties in AD, and in the BitLocker Recovery tab you should see its Recovery ID and the Recovery Password.
That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.