I've looked through a lot of materials on backup BitLocker recovery keys to AD, but they're too difficult for me to understand. Can you elaborate it with more clear steps for me?
The BitLocker recovery keys can be stored in Active Directory Domain Services (AD DS), if your device has already joined to the Active Directory domain. Here are the key steps to manage BitLocker in Active Directory (AD):
Ensure that AD had deployed AD DS schema extensions that required for BitLocker recovery data storage.
Steps Use the PowerShell Active Directory module to run the following command to check if the following five attributes of the ms-FVE-RecoveryInformation object exists:
Import-module ActiveDirectory Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}
Steps Run the following command with Windows Server PowerShell to setup BitLocker Drive Encryption function.
Install-WindowsFeature RSAT-Feature-Tools-Bitlocker-BdeAducExt, RSAT-Feature-Tools-BitLocker-RemoteAdminTool, RSAT-Feature-Tools-BitLocker
For Windows 10/11, use the PowerShell Command to install RSAT BitLocker Recovery Tool package:
Add-WindowsCapability -Online -Name Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0
Configure computers via Group Policy to ensure the BitLocker recovery information stored in AD. Then you can retrieve the BitLocker recovery keys and recovery passwords from AD when needed.
Step 1 Open Group Policy Management Console (GPMC), create a new Group Policy Object (GPO), and link it to the specific domain.
Step 2 Right-click on GPO, choose "Edit", expand it, and then navigate to the path below:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption
Step 3 Edit "Store BitLocker recovery information in Active Directory Domain Services" policy.
Firstly, set it to "Enabled" from more settings. Then tick "Require BitLocker backup to AD DS". For "Select BitLocker recovery information to store", choose "Recovery password and key packages".
Step 4 According to the drive type to store BitLocker recovery information, such as Fixed Data Drives, Operating System Drives, Removable Data Drives, enter into the corresponding folder.
Step 5 Take Removable Data Drives for example, double-click on "Choose how BitLocker-protected removable drives can be recovered" policy, then:
Enabled it. Tick "Allow data recovery agent" option. In "Configure user storage of BitLocker recovery information" option, select "Allow 48-digit recovery password" and "Allow 256-bit recovery key".
Tick "Save BitLocker recovery information to AD DS for removable data drives" option and "Do not enable BitLocker util recovery information stored to AD DS for removable data drives".
Step 6 Run Command Prompt as Administrator and use the following command to update Group Policy settings:
gpupdate /force
The Manage-bde command tool in PowerShell can manually add BitLocker recovery key to Active Directory.
Step 1 Get the current BitLocker ID of BitLocker-encrypted drive:
manage-bde -protectors -get e:
Step 2 Send the BitLocker Recovery key to AD via BitLocker ID:
manage-bde -protectors -adbackup e: -id '{CCB52433-509F-4C5F-B9F6-D21F47DE2766}'
Step 3 If the command is successfully executed, you can see the following message:
Recovery information was successfully backed up to Active Directory.
Tips: The following backup BitLocker key to AD PowerShell Scripts can get the BitLocker recovery key on system drive and save it to the Active Directory automatically.
$BitVolume = Get-BitLockerVolume -MountPoint $env:SystemDrive $RecoveryKey = $BitVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID
Note: After Group Policy Settings, if you re-enable BitLocker for this computer, the BitLocker recovery key and recovery password will also automatically copy to AD.
Search for AD BitLocker recovery key: In Active Directory, you can check the BitLocker recovery information through Active Directory Users and Computers (ADUC) interface. Besides, its BitLocker Recovery tab in properties to view BitLocker recovery key in AD.
Active Directory maintains a historical record of all BitLocker recovery passwords for computer objects. Old recovery keys are not automatically deleted from AD DS unless the computer object itself is deleted.
Of course, you can use BitLocker Encryption to mount VHD or VHDX files. Copy and move this VHD/VHDX files as a portable encrypted container file to any Windows computer is permitted.
Lydia
BitLocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes. Hardware-based encryption mode, also known as OPAL encryption.
Benjamin
Enabling BitLocker encryption on a virtual machine is similar to doing so on a physical computer, but it requires consideration of virtualization environment specifics.
Lydia
Enabling BitLocker for dual system on different partitions within the same drive won’t affect each other. Because the BitLocker Encryption is based on partitions, not the entire drive.
Lydia
