# How to store BitLocker keys in Active Directory
[https://coady.tech/store-bitlocker-keys-in-ad/](https://coady.tech/store-bitlocker-keys-in-ad/)
[](https://docs.coltscomputer.services/uploads/images/gallery/2024-01/NX9GHnRUHczI5EUh-featured-image.png)
BitLocker is a fantastic way to protect the data stored on computers and thwart some offline tampering attacks. However, if you’re using BitLocker within a business environment, keeping track of the recovery keys can be quite burdensome. Thankfully Microsoft has developed a way to automatically save BitLocker recovery keys to active directory.
In this post I’m going to be going through the process, step-by-step, to enable BitLocker recovery key saving to active directory. Plus we’ll take a look at how computers that are already encrypted can retrospectively have their recovery keys backed up to active directory.
## 1.0 Requirements
- Windows 7 or newer client (Must be either Pro or Enterprise)
- Windows Server 2012 or newer domain controller
- Domain schema level of at least ‘Windows Server 2012’
- Latest group policy [ADMX files](https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
This guide will show the steps specifically for Windows 10 1909 and Windows Server 2019.
## 2.0 Setup Steps
### 2.1 Installing BitLocker
So that we can access the Bitlocker recovery keys, we’ll need to install the BitLocker feature on a domain controller (DC). This feature will add an additional tab within Active Directory Users and Computers to access the recovery keys. It doesn’t mean the domain controller will be encrypted, just that the necessary GUI administration tools will be installed.
On a domain controller open Server Manager and then launch the Add Roles and Features Wizard. Tick the ‘BitLocker Drive Encryption’ option under Features.
Leave the feature install to complete. The BitLocker administrator tools will now be installed. Later in the guide we’ll use those tools to view the stored BitLocker recovery keys.
### 2.2 Update group policy
Client computers will need to forward their recovery keys to active directory. In order to do this we’ll use group policy. In my experience the correct group policy options aren’t always shown out-of-the-box, so I’m going to use the latest template file. Plus it’s always good practice to use the latest group policy templates.
Download the latest ADMX files for your build of Windows [here](https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
Inside of the ZIP archive will be many group policy ADMX files along with folders for each language. Extract these files to the ‘PolicyDefinitions’ folder within the SYSVOL share on a domain controller. E.g.
**C:\\Windows\\SYSVOL\\mydomain.local\\Policies\\PolicyDefinitions**
Tip
If you don’t have a ‘PolicyDefinitions’ folder now would be a great time to create one. The folder is used by a feature called the ‘Group Policy Central Store’. It ensures all domain administrators are using the same group policy template files.
Once finished you should have a setup similar to mine, as shown below:
[](https://docs.coltscomputer.services/uploads/images/gallery/2024-01/F2vkROyX7An7UbPP-bitlocker-keys-ad-3.png)
### 2.3 Configuring BitLocker
Create a new group policy object targeted at your computers.
Open the policy for editing and then browse to:
**Computer Configuration > Policies > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives.**
Configure the policy “Choose how BitLocker-protected operating system drives can be recovered” and set it as shown below:
Save the changes and then exit the group policy editor.
We’re done! Now it’s time to test our changes.
## 3.0 Encrypting computers
If you’ve completed the previous steps, BitLocker should be automatically saving recovery keys to active directory when the OS volume is encrypted.
For the purpose of this guide I’m going to encrypt my test client machine the simple way – by right-click’ing on the C volume and following the ‘Turn BitLocker on’ wizard.
## 4.0 Recovering the BitLocker key
Following our work in Step 1, a new ‘BitLocker Recovery’ tab will be present within active directory computer objects. On a domain controller open Active Directory Users and Computers and then locate the relevant computer account. Double click on the computer account to open the properties dialogue.
Select the ‘BitLocker Recovery’ tab. This will list all of the recovery keys for the computer in question. If there are multiple entries select the top one. Multiple entries will show up if the computer has been encrypted/decrypted multiple times.
## 5.0 Backup existing BitLocker keys to AD
Backing up the recovery keys to active directory on already encrypted devices is possible too. Open PowerShell as an administrator on an encrypted computer and run the command:
```
1
```
```fallback
manage-bde -protectors -get C:
```
This will return an output similar to the following:
That’s it! If you now check the computer object in active directory it will have the client’s key stored.
## 6.0 Summary
In this post I’ve gone over the steps needed to automatically store BitLocker recovery keys in active directory for new BitLocker installations, and covered one method to add recovery information for existing PC’s too.
Data security and protecting sensitive information is a top priority for organizations of all sizes. One crucial aspect of data security is ensuring that data stored on devices like laptops and desktops is encrypted and can be recovered in case of emergencies or user lockouts.
BitLocker, a disk encryption program with Windows operating systems, provides a robust solution. BitLocker offers a feature that allows administrators to store BitLocker recovery keys using Active Directory, ensuring that these critical keys are securely managed and easily accessible when needed.
In this blog post, we will explore the process of enabling BitLocker recovery key backup via Group Policy Objects (GPO) and several ways to retrieve BitLocker recovery keys.
Table of Contents
## Requirements
### Active Directory Schema
BitLocker recovery data storage feature is based on the extension of the Active Directory schema. And it brings you extra [Active Directory custom attributes](https://theitbros.com/custom-attributes-in-active-directory/). You must verify if your AD schema version has attributes required to store BitLocker recovery keys in Active Directory and check if you need to [update the AD schema](https://theitbros.com/upgrading-active-directory-schema/).
To do this, run the following command from the [PowerShell Active Directory module](https://theitbros.com/install-and-import-powershell-active-directory-module/):
```
Import-module ActiveDirectory
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}
```
There should be five following attributes:
- **ms-FVE-KeyPackage**
- **ms-FVE-RecoveryGuid**
- **ms-FVE-RecoveryInformation**
- **ms-FVE-RecoveryPassword**
- **ms-FVE-VolumeGuid** 
These [attributes](https://theitbros.com/get-user-attributes-from-ad/) are available by default starting from Active Directory version on Windows Server 2012.
This article uses Windows Server 2022.
### Windows Client
BitLocker works with Windows 10 and 11 Pro, Education, and Enterprise. This article will be using Windows 11 22H2.
## Enabling BitLocker Recovery Key Backup via GPO
Users make changes to their computers, and that’s inevitable. Then they reboot their computers, and BAM! Windows is asking for the BitLocker recovery key (password).
In this situation, users will contact the helpdesk or system administrators to help recover their BitLocker recovery keys.
Administrators must enable their backup to Active Directory to ensure the BitLocker keys are recoverable.
1. Log in to the domain controller or computer with RSAT installed.
2. Open the **Group Policy Management Console** (GPMC) by running **gpmc.msc**.
3. Within the GPMC, create a new Group Policy Object (GPO) or edit an existing one that you want to use for BitLocker recovery key backup. Ensure that the GPO is linked to the organizational unit (OU) containing the computer objects to which you wish to apply BitLocker.
In this example, I’m creating a new GPO named “**BitLocker-WS-Policy**” in the “**Workstations**” OU.
4. Open the GPO for editing and navigate to **Computer Configuration → Policies → Administrative Templates → Windows Components → BitLocker Drive Encryption**.
5. Double-click on “**Store BitLocker Recovery information in Active Directory Domain Services.**”
6. Set the policy to **Enabled**, leave the default selection, as shown below, and click **OK**. This step enables backing up the BitLocker recovery information in Active Directory.
7. Next, select one of the following folders, depending on which drive types you want BitLocker recovery keys to become retrievable.
- Operating System Drives
- Fixed Data Drives
- Removable Data Drives
In this example, I’ll choose “**Operating System Drives**” and open the “**Choose how BitLocker-protected system drives can be recovered**” policy.
8. Select **Enabled** and tick the box, “**Do not enable BitLocker until recovery information is stored in AD DS for** .” These settings enable the recoverability of BitLocker keys, and BitLocker will not be enabled until recovery information is stored in AD DS.
9. The policy will be updated on the target computers in the next cycle. But if you want to force it, run **gpupdate /force** on the affected computers.
10. Then, check if the policy is applied: ```
gpresult /r
```
## Turn On BitLocker Protection on Drives
Now that the policy is deployed to back up BitLocker recovery keys in AD, let’s test it by turning on BitLocker protection.
Open the File Explorer, navigate to “**This PC**,” right-click on the drive, and click “**Turn on BitLocker**.”
And go through the steps to finish enabling BitLocker encryption. Refer to [Turn on device encryption](https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d) for the complete steps the user can follow.
## Retrieving BitLocker Recovery Keys
You can find available recovery keys for each computer on the new tab “BitLocker Recovery”. It is located in the computer account properties in the [Active Directory Users and Computers snap-in](https://theitbros.com/installing-active-directory-snap-in-on-windows-10/).
But first, the BitLocker Management Tools must be installed on the domain controller. To do so, run the following command to install the BitLocker Management Tools.
```
Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt
```
### Using the BitLocker Recovery Tab in the Computer Properties
After the installation, re-open ADUC, open the computer’s properties, and navigate to the “**BitLocker Recovery**” tab. You’ll see the recovery password that you can provide to the user so they can unlock their BitLocker-protected drive.
### Using the “Find BitLocker recovery password” Tool
If the user can provide the first eight characters of the BitLocker password ID, you can also use the **Find BitLocker recovery password** tool in ADUC.
Open ADUC, click Action → Find BitLocker recovery password. Enter the first eight characters of the password ID and click **Search**. If the partial password ID is valid, you will see the corresponding BitLocker recovery password, as shown below.
### Using PowerShell Script
Using a PowerShell script to retrieve the BitLocker recovery keys can be quick, convenient, and handy. It only requires the ActiveDirectory PowerShell module; all necessary commands are already included.
Copy the script below and save it to your computer as Get-BitLockerRecoveryPassword.ps1. This script accepts two parameters: **ComputerName** and **KeyId**. You can only use one parameter at a time.
```
# Get-BitLockerRecoveryPassword.ps1
```
\[CmdletBinding(DefaultParameterSetName = ‘byComputerName’)\]
param (
\[Parameter(Mandatory, ParameterSetName = ‘byComputerName’)\]
\[string\]
$ComputerName,
\[Parameter(Mandatory, ParameterSetName = ‘byKeyId’)\]
\[string\]
$KeyID
)
if ($PSCmdlet.ParameterSetName -eq ‘byComputerName’) {
try {
$computerObj = Get-ADComputer $ComputerName -ErrorAction Stop
$blObj = Get-ADObject -Filter { objectclass -eq ‘msFVE-RecoveryInformation’ } -SearchBase $computerObj.DistinguishedName -Properties \* -ErrorAction Stop
}
catch \[Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException\] {
“The AD computer \[$($ComputerName)\] is not found.” | Out-Default
}
catch {
}
}
if ($PSCmdlet.ParameterSetName -eq ‘byKeyId’) {
if ($KeyID.Length -eq 8) {
$keyId = “\*{$keyID\*”
$blObj = Get-ADObject -Filter { objectclass -eq ‘msFVE-RecoveryInformation’ -and CN -like $KeyID } -Properties \*
}
else {
“The KeyId must be exactly the first 8 characters of the Password ID.” | Out-Default
}
}
if ($blObj) {
\[PSCustomObject\]$(\[ordered\]@{
‘Computer Name’ = $(($blObj.DistinguishedName -split ‘,’)\[1\].Replace(‘CN=’, ”))
‘Password ID’ = $((\[regex\]::Match($blObj.DistinguishedName, ‘\\{(.\*?)\\}’)).Groups\[1\].Value)
‘Recovery Password’ = $($blObj.’msFVE-RecoveryPassword’)
})
}
> You can also download this script from this Gist → [Get BitLocker Recovery Password from AD](https://gist.github.com/junecastillote/f99805343ec4eeac40b869b62a0d909f).
After saving the script, open PowerShell and change the working directory to the script location.
```
cd
```
Run the command below to get the BitLocker recovery key by computer name.
```
.\Get-BitLockerRecoveryPassword.ps1 -ComputerName
```
You’ll see the following result if the computer exists and has a BitLocker recovery password.
If the computer does not exist, you’ll get this error:
There will be no output if the computer exists but has no BitLocker recovery keys.
Run the command below to get the BitLocker recovery key by looking up the first eight characters of the Password ID.
```
.\get-BitLockerRecoveryPassword.ps1 -KeyID 12345678
```
If the password ID matches, you’ll get the following result.
You’ll get the following error if the Key ID you provided is not eight characters.
If the password ID is not found, there will be no result.
## Delegating Permissions to View BitLocker Recover Keys in AD
Administrators have better things to do than retrieving BitLocker recovery passwords. This is why the task can be delegated to a group whose primary role is to support end users, such as the Help Desk.
You can delegate the permissions to view information about BitLocker recovery keys in AD, and here’s how.
1. Create a group (or select an existing group) that will be delegated to view BitLocker recovery keys. In this example, I created a security group called “**BitLocker Password Viewers**.”
2. Add members to this group as needed.
3. Right-click on the [Active Directory OU](https://theitbros.com/active-directory-organizational-unit-ou/) that contains the computer objects with BitLocker recovery keys and click **Delegate Control**.
4. Add the delegate group to the list and click **Next**.
5. Select the “**Create a custom task to delegate**” option and click **Next**.
6. Select the “**Only the following objects in the folder**” option, tick the “**msFVE-RecoveryInformation objects**” box, and click **Next**.
7. Select the “Read” permissions, as shown below, and click **Next**.
8. Review the delegation summary and click **Finish**.
9. All users added to the “**BitLocker Password Viewers**” group can view the Recovery tab with BitLocker recovery information.
## Conclusion
Safeguarding sensitive data is a paramount concern. Integrated with Windows, BitLocker offers a robust solution for encrypting and protecting data on devices like laptops and desktops. It securely manages and readily provides BitLocker recovery keys via Active Directory.
This blog post covers enabling BitLocker recovery key backup via Group Policy Objects (GPO) and retrieving keys. Prerequisites include an updated Active Directory schema and compatible Windows clients. Follow the steps for GPO configuration to ensure recoverability and secure storage in Active Directory.
We also explore three key retrieval methods: the BitLocker Recovery tab in Active Directory Users and Computers, the “Find BitLocker recovery password” tool, and a PowerShell script. These options offer flexibility for different scenarios.
Lastly, we discuss delegating permissions to specific groups, like a Help Desk team, to view BitLocker recovery keys in Active Directory efficiently. BitLocker simplifies data security and management, enhancing organizations’ data protection strategies.