Site icon TechDirectArchive

Backup existing and new BitLocker Recovery Keys to Active Directory

BitLocker Drive Encryption is a data protection feature that integrates with the operating system. It addresses the threats of data theft or exposure to lost or stolen devices. It is an encryption feature built into computers running Windows 10. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. See this guide for how to enable Bitlocker Pre-Boot Authentication via the Local Group Policy Editor and the Group Policy Management Console. See this guide for information on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption, and Container Encryption. In this article, you will learn how to Backup existing and new BitLocker Recovery Keys to Active Directory.

Why protect your device with BitLocker?

The goal of BitLocker FDE is to protect your Drive against offline attacks through encryption, and unauthorized access either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Here are some more guides: how to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM” and how to enable FileVault disk encryption on a Mac device.

How to backup existing BitLocker Recovery Keys to Active Directory

If you have already enabled BitLocker but now want to store the recovery keys in Active Directory. With the configured GPOs above, this will allow windows to write the recovery key to AD. We need to use the “manage-bde” utility, which is a command-based utility that can be used to configure BitLocker. You can save this on a bash file and run it on devices that have already enabled BitLocker.

manage-bde -protectors -get c:
for /f "skip=4 tokens=2 delims=:" %%g in ('"manage-bde -protectors -get c:"') do set MyKey=%%g
echo %MyKey%
manage-bde -protectors -adbackup c: -id%MyKey%

NoteOnce run, it will escrow the key into Active Directory. You may also want to see BitLocker Drive Encryption architecture and implementation scenarios.

Remote Server Administration Tools

There are two additional tools in the Remote Server Administration Tools worth mentioning, which you can use to manage BitLocker. You should now be able to see the keys in the Properties tab. Or via the Search function in Active Directory Users and Computers. Ensure that the BitLocker RSAT is enabled in Server Features and Roles. If these tools are not installed, you will fac the following error “Fix no BitLocker Recovery in Active Directory

Install BitLocker Drive Encryption Administration Utilities to view BitLocker Recovery Keys to Active Directory

To install BitLocker Drive Encryption Administration Utilities on a Server (Domain Control), please follow the steps below.

Note: If you do not install these features, you will never be able to view the BitLocker Recovery information. See this guide “fix missing BitLocker Recovery Tab” for more information.

Launch the Add role and Feature next to the “Features” menu. Select BitLocker Drive Encryption Administration Utilities under Remote Server Administration. Then check both BitLocker Drive Encryption Tools and BitLocker Recovery Password Viewer.

On the confirmation page, click on install to have the BitLocker utilities installed.

To Install BitLocker Drive Encryption Administration Utilities on a Client, please follow the steps below.

Note: RSAT (Remote Server Administration Tools) in Windows 10 v1809, v1903 and v1909 are no longer a downloadable add-on to Windows. Instead, it’s included as a set of  “Features on Demand” directly in Windows.

But since BitLocker Drive Encryption Administration Utilities are not included, we will have to download them.
– Launch Windows settings,
– Navigate to Apps and Select Apps & Features as shown below. Follow along with the rest steps.

Now, scroll through the list and install BitLocker Drive Encryption Administration Utilities.

Note: BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. For more information on Group Policy, please see the how-to analyze group policies applied to a user and computer account,

Once everything is correctly setup, you should be able view the BitLocker Recovery Tab as shown below.

I hope you found this blog post helpful on how to backup existing and new BitLocker Recovery Keys to Active Directory. Please let me know in the comment session if you have any questions.

Exit mobile version