It makes sense for companies to configure BitLocker centrally using group policies. It is also advisable to store recovery keys in a central location where they are protected against unauthorized access. Microsoft uses Active Directory for this purpose. The keys can be managed without tools from third-party manufacturers.
Configuring group policies
The first step is to create a GPO for the organizational units (OUs) and domains whose computer accounts will have recovery keys stored in the Active Directory.
This setting only works for computers running Vista or Windows Server 2008
Newer operating systems allow a more granular configuration depending on the drive type. BitLocker distinguishes between operating system drives, hard disks, and removable media.
Different drive types can be configured for BitLocker using separate settings
Storage options for each type of drive
For example, if you want to save the recovery key for operating system drives in the Active Directory, activate this setting in the respective folder. Make sure that the checkbox Save BitLocker recovery information to AD DS for operating system drives is selected.
GPO setting to backup recovery keys for system drives in Active Directory
Furthermore, you can configure which data will be stored in the AD. You can choose between Backup Restore Password and Key Packages and Backup Restore Passwords Only. The key package is used to recover data on a physically damaged drive.
In addition, it makes sense to activate the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives option. This ensures that BitLocker will wait until mobile users are reconnected to AD before it encrypts the data.
Manually saving keys afterwards
If the group policy is enabled after the drives are already encrypted, it will have no effect and the key will have to be manually transferred to the Active Directory. The command line tool manage-bde.exe is capable of doing this. First, you determine the ID of the numeric password for drive c:
- Logitech Unifying Receiver Not Detected in Windows 11/10 [Solved]
- Fix: ‘Failed to Connect with Local Steam Client Process’ Fatal Error on Steam
- How to force a Blue Screen Of Death in Windows 11/10
- How to Fix Spotify When It Keeps Randomly Crashing on Windows 11
- Top Private Search Engines you should use if Privacy matters to you
Read also:
manage-bde -protectors -get c:
Then you pass this information to the second command:
manage-bde -protectors -adbackup c: -id "{ID-of-numeric-password}"
Reading recovery keys in the Active Directory
In order to access the recovery key, two features must be installed on the administrator computer: BitLocker Recovery Password Viewer and BitLocker Drive Encryption Tools.
This can be done on a server using the Add Roles and Features wizard in the Server Manager. On a workstation, they are part of the RSAT.
Adding BitLocker tools as a feature via the Server Manager
After that, a new tab labeled BitLocker Recovery should appear in Active Directory Users and Computers when you open a computer object.
Installing the BitLocker tools gives Active Directory users and computers a tab for the recovery key
For computers with encrypted drives, the corresponding recovery key can be found here.
Delegation
By default, only users in the Domain Admins group can view BitLocker recovery keys. This is not sufficient if, for example, the helpdesk should also have access to the recovery keys.
To grant users this permission, create a security group in the Active Directory (e.g., BitLocker) and add the desired users to it. After that, execute the command Delegate Control from the context menu of the OU in which the computers are located and whose keys should be accessible by the new group.
- 8 Useful Commands to Manage Your Files in Command Prompt
- 10 PayPal Scams to Watch Out For—and How to Avoid Them
- 12 Best Adobe Illustrator Alternatives (Free & Paid)
- How to Fix ADB Device Not Found Error on Windows 11, 10, 8 and 7
- How to install Microsoft Teams on Ubuntu
Read also:
Execute the command Delegate Control from the context menu of the OU
In the following dialog, you can activate Create a custom task to delegate.
Selecting custom tasks to create for assignment
Now set the authorization for “msFVE-RecoveryInformation” objects.
Assigning authorization for msFVE recovery information objects
Full access is required here.
Granting full access to msFVE recovery information objects
This enables users in the security group to view the recovery keys.
Source: https://4sysops.com/archives/store-and-retrieve-bitlocker-recovery-keys-from-active-directory/