Per Microsoft's recommendation, I enabled Bitlocker on a new Windows 10 VM after joining it to my local Active Directory domain. After enabling Bitlocker, I went to go check that the recovery password was stored on my AD Domain Controller as should happen, and it wasn't, all I see is this:
Why wouldn't I be seeing it here? Is there a group policy I should have configured prior to enabling Bitlocker? I thought it was automatic.
1 Answer
Whether the feature BitLocker Recovery Password Viewer was installed in AD? Before being able to view the BitLocker Recovery keys in AD you need to install the BitLocker Password Recovery Viewer feature.
If the feature has been added in AD, please try the following detailed steps:
First, please make sure that your GPO setup to save the recovery key to AD DS. Computer Configuration>Administrative Templates>Windows Components>Bitlocker Drive Encryption>Operating System Drives>Choose how Bitlocker-protected operating system drives can be recovered, make sure this is set to enabled. You can then use the defaults.
Now from a domain admin account open PowerShell and insert the following command:
PS C:\> $BLV = Get-BitLockerVolume -MountPoint "C:"
PS C:\> Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorIdFor more details, please refer to the official article from Microsoft:
If you now look at the computer object within AD you should see the recovery key. Don't forget to refresh if you've left it open.
1