Backup existing and new BitLocker Recovery Keys to Active Directory

In this article, you will learn how to Backup existing and new BitLocker Recovery Keys to AD (Active Directory). BitLocker Drive Encryption is a data protection feature that integrates with the operating system. It addresses the threats of data theft or exposure to lost or stolen devices. It is an encryption feature built into computers running Windows 10. Please see How to Change BitLocker Password in Windows, How to Change BitLocker Password in Windows, and How to correctly disable BitLocker on Windows Server.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

See this guide for how to enable Bitlocker Pre-Boot Authentication via the Local Group Policy Editor and the Group Policy Management Console. See this guide for information on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption, and Container Encryption.

Why protect your device with BitLocker?

The goal of BitLocker FDE is to protect your Drive against offline attacks through encryption, and unauthorized access either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer.

Here are some more guides: how to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM” and how to enable FileVault disk encryption on a Mac device.

How to backup existing BitLocker Recovery Keys to Active Directory

If you have already enabled BitLocker but now want to store the recovery keys in Active Directory. With the configured GPOs above, this will allow windows to write the recovery key to AD.

We need to use the “manage-bde” utility which is a command-based utility that can be used to configure BitLocker. You can save this on a bash file and run it on devices that have already enabled BitLocker.

manage-bde -protectors -get c:
for /f "skip=4 tokens=2 delims=:" %%g in ('"manage-bde -protectors -get c:"') do set MyKey=%%g
echo %MyKey%
manage-bde -protectors -adbackup c: -id%MyKey%

Note: Once run, it will escrow the key into Active Directory. You may also want to see BitLocker Drive Encryption architecture and implementation scenarios.

Remote Server Administration Tools

There are two additional tools in the Remote Server Administration Tools worth mentioning, which you can use to manage BitLocker. You should now be able to see the keys in the Properties tab. Or via the Search function in Active Directory Users and Computers.

Ensure that the BitLocker RSAT is enabled in Server Features and Roles. If these tools are not installed, you will fac the following error “Fix no BitLocker Recovery in Active Directory“

• BitLocker Recovery Password Viewer. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords backed up to AD DS. This tool helps recover data stored on a drive encrypted by using BitLocker.
  
  The BitLocker Recovery Password Viewer tool is an extension for the AD Users and Computers Microsoft Management Console (MMC) snap-in. It enables you to examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords.
  
• BitLocker Drive Encryption Tools. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel.
  
  And they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console. See the screenshot below on how to install BitLocker Drive Encryption Administration Utilities.

Install BitLocker Drive Encryption Administration Utilities to view BitLocker Recovery Keys to Active Directory

To install BitLocker Drive Encryption Administration Utilities on a Server (Domain Control), please follow the steps below.

Note: If you do not install these features, you will never be able to view the BitLocker Recovery information. See this guide “fix missing BitLocker Recovery Tab” for more information.

Launch the Add role and Feature next to the “Features” menu. Select BitLocker Drive Encryption Administration Utilities under Remote Server Administration. Then check both BitLocker Drive Encryption Tools and BitLocker Recovery Password Viewer.

On the confirmation page, click on install to have the BitLocker utilities installed.

To Install BitLocker Drive Encryption Administration Utilities on a Client, please follow the steps below.

Note: RSAT (Remote Server Administration Tools) in Windows 10 v1809, v1903 and v1909 are no longer a downloadable add-on to Windows. Instead, it’s included as a set of  “Features on Demand” directly in Windows.

But since BitLocker Drive Encryption Administration Utilities are not included, we will have to download them. Launch Windows settings,

Navigate to Apps and Select Apps & Features as shown below. Follow along with the rest steps.

Now, scroll through the list and install BitLocker Drive Encryption Administration Utilities.

For more information on Group Policy, please see the how-to analyze group policies applied to a user and computer account,

Note: BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive.

Once everything is correctly setup, you should be able view the BitLocker Recovery Tab as shown below.

FAQs

I hope you found this blog post helpful on how to backup existing and new BitLocker Recovery Keys to AD (Active Directory). Please let me know in the comment session if you have any questions.