Store and Retrieve BitLocker Recovery Keys from Active Directory

It makes sense for companies to configure BitLocker centrally using group policies. It is also advisable to store recovery keys in a central location where they are protected against unauthorized access. Microsoft uses Active Directory for this purpose. The keys can be managed without tools from third-party manufacturers.

Configuring group policies

The first step is to create a GPO for the organizational units (OUs) and domains whose computer accounts will have recovery keys stored in the Active Directory.

This setting only works for computers running Vista or Windows Server 2008

Newer operating systems allow a more granular configuration depending on the drive type. BitLocker distinguishes between operating system drives, hard disks, and removable media.

Different drive types can be configured for BitLocker using separate settings

Storage options for each type of drive

For example, if you want to save the recovery key for operating system drives in the Active Directory, activate this setting in the respective folder. Make sure that the checkbox Save BitLocker recovery information to AD DS for operating system drives is selected.

GPO setting to backup recovery keys for system drives in Active Directory

Furthermore, you can configure which data will be stored in the AD. You can choose between Backup Restore Password and Key Packages and Backup Restore Passwords Only. The key package is used to recover data on a physically damaged drive.

In addition, it makes sense to activate the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives option. This ensures that BitLocker will wait until mobile users are reconnected to AD before it encrypts the data.

Manually saving keys afterwards

If the group policy is enabled after the drives are already encrypted, it will have no effect and the key will have to be manually transferred to the Active Directory. The command line tool manage-bde.exe is capable of doing this. First, you determine the ID of the numeric password for drive c:

manage-bde -protectors -get c:

Then you pass this information to the second command:

manage-bde -protectors -adbackup c: -id "{ID-of-numeric-password}"

Reading recovery keys in the Active Directory

In order to access the recovery key, two features must be installed on the administrator computer: BitLocker Recovery Password Viewer and BitLocker Drive Encryption Tools.

This can be done on a server using the Add Roles and Features wizard in the Server Manager. On a workstation, they are part of the RSAT.

Adding BitLocker tools as a feature via the Server Manager

After that, a new tab labeled BitLocker Recovery should appear in Active Directory Users and Computers when you open a computer object.

Installing the BitLocker tools gives Active Directory users and computers a tab for the recovery key


For computers with encrypted drives, the corresponding recovery key can be found here.


By default, only users in the Domain Admins group can view BitLocker recovery keys. This is not sufficient if, for example, the helpdesk should also have access to the recovery keys.

To grant users this permission, create a security group in the Active Directory (e.g., BitLocker) and add the desired users to it. After that, execute the command Delegate Control from the context menu of the OU in which the computers are located and whose keys should be accessible by the new group.

Execute the command Delegate Control from the context menu of the OU

In the following dialog, you can activate Create a custom task to delegate.

Selecting custom tasks to create for assignment

Now set the authorization for “msFVE-RecoveryInformation” objects.

Assigning authorization for msFVE recovery information objects

Full access is required here.

Granting full access to msFVE recovery information objects

This enables users in the security group to view the recovery keys.


Article post on:

Leave a Comment

Your email address will not be published. Required fields are marked *