Windows Server

How to backup existing and new BitLocker recovery keys to Active Directory

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost or stolen devices. It is an encryption feature built into computers running Windows 10. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. See this guide for how to enable Bitlocker Pre-Boot Authentication via the Local Group Policy Editor and the Group Policy Management Console. See this guide for information on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption, and Container Encryption, how to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM” and how to enable FileVault disk encryption on a Mac device.

The goal of BitLocker FDE is to protect your Drive against offline attacks through encryption, unauthorized access either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer.

If you have already enabled BitLocker but now want to store the recovery keys in Active Directory. With the configured GPO policies above, this will allow windows to write the recovery key to AD. We need to use the “manage-bde” utility, which is a command-based utility that can be used to configure BitLocker. You can save this on a bash file and run it on devices that have already enabled BitLocker.

manage-bde -protectors -get c:
for /f "skip=4 tokens=2 delims=:" %%g in ('"manage-bde -protectors -get c:"') do set MyKey=%%g
echo %MyKey%
manage-bde -protectors -adbackup c: -id%MyKey%

NoteOnce run, it will escrow the key into Active Directory. You may also want to see BitLocker Drive Encryption architecture and implementation scenarios.

There are two additional tools in the Remote Server Administration Tools worth mentioning, which you can use to manage BitLocker. You should now be able to see the keys in the Properties tab or via the Search function in Active Directory Users and Computers, ensure that the BitLocker RSAT is enabled in Server Features and Roles.

  • BitLocker Recovery Password Viewer. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords backed up to AD DS. This tool helps recover data stored on a drive encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the AD Users and Computers Microsoft Management Console (MMC) snap-in that enables you to examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords.
  • BitLocker Drive Encryption Tools. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. See the screenshot below on how to install BitLocker Drive Encryption Administration Utilities.

To install BitLocker Drive Encryption Administration Utilities on a Server (Domain Control), please follow these steps below.
Note: If you do not install these features, you will never be able to view the BitLocker Recovery information. See this guide “fix missing BitLocker Recovery Tab” for more information.
– Launch the Add role and Feature and next to the “Features” menu
– Select BitLocker Drive Encryption Administration Utilities under Remote Server Administration and check both BitLocker Drive Encryption Tools and BitLocker Recovery Password Viewer.

On the confirmation page, click on install to have the BitLocker utilities installed.

To Install BitLocker Drive Encryption Administration Utilities on a Client, please follow the steps below.
– Note: RSAT (Remote Server Administration Tools) in Windows 10 v1809, v1903 and v1909 are no longer a downloadable add-on to Windows. Instead, it’s included as a set of  “Features on Demand” directly in Windows.

But since BitLocker Drive Encryption Administration Utilities are not included, we will have to download it.
– Launch Windows settings,
– Navigate to Apps and Select Apps & Features as shown below. Follow along with the rest steps.

Now, scroll through the list and install BitLocker Drive Encryption Administration Utilities.

Note: BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. For more information on Group Policy, please see the how-to analyze group policies applied to a user and computer account,

Once everything is correctly setup, you should be able view the BitLocker Recovery Tab as shown below.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x