Why isn't Bitlocker Recovery Password appearing in Active Directory?

Per Microsoft's recommendation, I enabled Bitlocker on a new Windows 10 VM after joining it to my local Active Directory domain. After enabling Bitlocker, I went to go check that the recovery password was stored on my AD Domain Controller as should happen, and it wasn't, all I see is this:Active Directory Bitlocker view

Why wouldn't I be seeing it here? Is there a group policy I should have configured prior to enabling Bitlocker? I thought it was automatic.

1 Answer

Whether the feature BitLocker Recovery Password Viewer was installed in AD? Before being able to view the BitLocker Recovery keys in AD you need to install the BitLocker Password Recovery Viewer feature.

If the feature has been added in AD, please try the following detailed steps:

First, please make sure that your GPO setup to save the recovery key to AD DS. Computer Configuration>Administrative Templates>Windows Components>Bitlocker Drive Encryption>Operating System Drives>Choose how Bitlocker-protected operating system drives can be recovered, make sure this is set to enabled. You can then use the defaults.

Now from a domain admin account open PowerShell and insert the following command:

PS C:\> $BLV = Get-BitLockerVolume -MountPoint "C:"
PS C:\> Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

For more details, please refer to the official article from Microsoft:

Backup-BitLockerKeyProtector

If you now look at the computer object within AD you should see the recovery key. Don't forget to refresh if you've left it open.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like