Backup existing and new BitLocker Recovery Keys to Active Directory

Posted on Christian By Christian 2 Comments on Backup existing and new BitLocker Recovery Keys to Active Directory

In this article, you will learn how to Backup existing and new BitLocker Recovery Keys to AD (Active Directory). BitLocker Drive Encryption is a data protection feature that integrates with the operating system. It addresses the threats of data theft or exposure to lost or stolen devices. It is an encryption feature built into computers running Windows 10. Please see How to Change BitLocker Password in Windows, How to Change BitLocker Password in Windows, and How to correctly disable BitLocker on Windows Server.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

See this guide for how to enable Bitlocker Pre-Boot Authentication via the Local Group Policy Editor and the Group Policy Management Console. See this guide for information on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption, and Container Encryption.

Why protect your device with BitLocker?

The goal of BitLocker FDE is to protect your Drive against offline attacks through encryption, and unauthorized access either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer.

Here are some more guides: how to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM” and how to enable FileVault disk encryption on a Mac device.

How to backup existing BitLocker Recovery Keys to Active Directory

If you have already enabled BitLocker but now want to store the recovery keys in Active Directory. With the configured GPOs above, this will allow windows to write the recovery key to AD.

We need to use the “manage-bde” utility which is a command-based utility that can be used to configure BitLocker. You can save this on a bash file and run it on devices that have already enabled BitLocker.

manage-bde -protectors -get c:
for /f "skip=4 tokens=2 delims=:" %%g in ('"manage-bde -protectors -get c:"') do set MyKey=%%g
echo %MyKey%
manage-bde -protectors -adbackup c: -id%MyKey%

NoteOnce run, it will escrow the key into Active Directory. You may also want to see BitLocker Drive Encryption architecture and implementation scenarios.

Remote Server Administration Tools

There are two additional tools in the Remote Server Administration Tools worth mentioning, which you can use to manage BitLocker. You should now be able to see the keys in the Properties tab. Or via the Search function in Active Directory Users and Computers.

Ensure that the BitLocker RSAT is enabled in Server Features and Roles. If these tools are not installed, you will fac the following error “Fix no BitLocker Recovery in Active Directory

  • BitLocker Recovery Password Viewer. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords backed up to AD DS. This tool helps recover data stored on a drive encrypted by using BitLocker.

    The BitLocker Recovery Password Viewer tool is an extension for the AD Users and Computers Microsoft Management Console (MMC) snap-in. It enables you to examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords.
  • BitLocker Drive Encryption Tools. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel.

    And they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console. See the screenshot below on how to install BitLocker Drive Encryption Administration Utilities.

Install BitLocker Drive Encryption Administration Utilities to view BitLocker Recovery Keys to Active Directory

To install BitLocker Drive Encryption Administration Utilities on a Server (Domain Control), please follow the steps below.

Note: If you do not install these features, you will never be able to view the BitLocker Recovery information. See this guide “fix missing BitLocker Recovery Tab” for more information.

Launch the Add role and Feature next to the “Features” menu. Select BitLocker Drive Encryption Administration Utilities under Remote Server Administration. Then check both BitLocker Drive Encryption Tools and BitLocker Recovery Password Viewer.

On the confirmation page, click on install to have the BitLocker utilities installed.

To Install BitLocker Drive Encryption Administration Utilities on a Client, please follow the steps below.

Note: RSAT (Remote Server Administration Tools) in Windows 10 v1809, v1903 and v1909 are no longer a downloadable add-on to Windows. Instead, it’s included as a set of  “Features on Demand” directly in Windows.

But since BitLocker Drive Encryption Administration Utilities are not included, we will have to download them. Launch Windows settings,

Navigate to Apps and Select Apps & Features as shown below. Follow along with the rest steps.

Now, scroll through the list and install BitLocker Drive Encryption Administration Utilities.

For more information on Group Policy, please see the how-to analyze group policies applied to a user and computer account,

Note: BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive.

Once everything is correctly setup, you should be able view the BitLocker Recovery Tab as shown below.

FAQs

Why can’t I Perform BitLocker (MBAM) Self Service Recovery?

An end user must have physically logged on to the computer (not remotely) at least one time successfully to be able to recover their key using the Self-Service Portal. Otherwise, they must use the Helpdesk Portal for key recovery

Why is this error prompted “System Partition not available or large enough”?

BitLocker requires a SYSTEM partition to enable encryption. If this partition is missing, kindly use this command line to create the required Bitlocker partition.
BdeHdCfg -target default

How should the boot order of a BitLocker PC be organized?

Configure the computer’s startup options to place the hard disk drive first in the boot order, as this affects system measurement and prompts for the BitLocker recovery key. If using a docking station, ensure the hard disk drive is first in the boot order both when docked and undocked. You can read more here.

I hope you found this blog post helpful on how to backup existing and new BitLocker Recovery Keys to AD (Active Directory). Please let me know in the comment session if you have any questions.

5/5 - (1 vote)
Windows Server Tags:, , , , , , , ,

Related Posts

More Related Articles

hero activedirectory How to move a computer object from one container (OU) to another Windows Server
article 1280x720.192a2586 1 1 How to install WSL on Windows Server Windows Server
find my device banner How to Enable Find My Device on Windows 11 Windows
sql server installation How to Install all Editions of Microsoft SQL Server 2025 Oracle/MSSQL/MySQL
image 130 How to fix the Security Database on the Server does not have a Computer Account for this Workstation Trust Relationship on Windows Server [Part 2] Scripts
How does key rotation work in MBAM How does Key Rotation work in MBAM? Oracle/MSSQL/MySQL

Comments (2) on “Backup existing and new BitLocker Recovery Keys to Active Directory”

  1. The script to backup existing bitlocker encryptions is great. Really helped me do this at scale. I created a GPO scheduled task and applied it to all my PCs to back up Bitlocker to all PCs. Thank you.

Leave a Reply