Save BitLocker Keys in Active Directory

Mark Berry September 27, 2014

One of the risks of activating encryption on a hard drive is that you’ll lose the password. It turns out to be pretty simple to save and view BitLocker passwords in Active Directory.

I’m working with Server 2012 R2 Essentials and two Windows 7 laptops.

Turn on Group Policies

With help from this article, I turned on the group policies shown in the graphic below. I included a policy to enable BitLocker without a TPM chip since one of my laptops does not have one. Click on the graphic to expand it in a new window.

BitLocker in AD 1

Now, when you turn on BitLocker on a domain computer, the keys will be stored in Active Directory.

Enable BitLocker Administration on the Server

The BitLocker information may be in Active Directory, but you won’t be able to see the information until you add the BitLocker Drive Encryption Administration Utilities feature from the server’s Add Roles and Features Wizard:

BitLocker in AD 2

With that set up, go to Active Directory Users and Computers, right-click on a computer, and select Properties. You’ll see a new BitLocker Recovery tab along with a list of recovery passwords (hidden in my screen shot), one for each volume you are protecting with BitLocker:

BitLocker in AD 3

Note that this doesn’t provide automatic unlocking of the volume; it’s just a backup so you can look up the password in Active Directory if you need it. You should still keep a copy in TPM  and on a USB key or other storage. Network unlocking is available under certain circumstances but looks pretty complex; search the web for “BitLocker network unlock”.

Add Keys from Older Computers to Active Directory

If you have computers that were BitLocker-encrypted before you activated the group policies above, their keys will not be added to Active Directory automatically. To add their keys, see this TechNet article. In short, on the old computer, use manage-bde to key the Numerical Password ID, then use manage-bde again to push the key with that ID to Active Directory:

manage-bde -protectors -get c:
manage-bde -protectors -adbackup c: -id
{DFB478E6-8B3F-4DCA-9576-C1905B49C71E}

Check for the password in Active Directory as shown above to confirm it got saved.



1 Comment

  1. Tom Mannerud   |  January 07, 2015 at 7:54 pm

    An alternative to the standard Bitlocker Recovery Password Viewer is a software called Cobynsoft’s AD Bitlocker Password Audit which features a searchable and filterable gridview overview of all keys which allows you to easily spot machines with missing keys. Using this information paired with your technique above to manually add the keys into the Active Directory using manage-bde you can save yourself some headache down the road if a machine with a missing key were to ask for a Bitlocker recovery key.

    http://www.cobynsoft.com/software/cobynsofts-ad-bitlocker-password-audit/

    [Editor’s note: Tom’s email address indicates that he works for Cobysoft.]

Leave a Reply





*