Manually Backup BitLocker Recovery Key to AD

In this post I will show you how to manually backup the BitLocker recovery key to Active Directory. This should also help you to backup recovery information in AD after BitLocker is turned ON in Windows OS.

BitLocker is an encryption feature available in Windows 10 Professional and Enterprise editions. However it requires a Trusted Platform Module (TPM) on the system. When used with TPM, BitLocker provides the best security.

There are some situations where you might need to manually upload the BitLocker key to AD :-

  • Imagine that you have imaged a machine with Windows 10 OS. You enable BitLocker encryption and join the machine to domain.You might now want to backup the BitLocker key to AD.
  • May be the machine was not connected to the network when BitLocker was enabled. Hence the recovery information couldn’t be saved to Active Directory.
  • Probably the Group policy setting to save the recovery information to AD was not enabled at the time of encryption.
  • You notice that computer object in AD doesn’t show the BitLocker recovery key. You troubleshoot the issue and fix the group policy issue. However you might want to manually save the key to AD.

Manually Backup BitLocker Recovery Key to AD

There is an easy way to manually backup BitLocker Recovery key to Active Directory. You do not need to decrypt and re-encrypt the drive to store the recovery information in AD.

First of all you require local admin rights to run manage-bde commands. So ensure you are using the correct account to perform the steps.

On your Windows 10 computer, you can use manage-bde.exe command to save the recovery information in AD. If you have not enabled BitLocker encryption, you must first do that. Encrypt your hard drive and temporarily save the recovery key in a file.

Most of all remember that the below steps will work only if the client machine has received the group policy setting to save the information to AD. Otherwise you will see the error: Group Policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.

Open an elevated command prompt and run the below command.

manage-bde -protectors -get c:

Running the above command outputs the TPM details, Numerical password and BitLocker recovery key. Note down the numerical password protector of the volume.

Manually Backup BitLocker Recovery Key to AD

To manually backup BitLocker recovery key to Active Directory, run the below command. Remember to replace -id with your Numerical Password.

manage-bde -protectors -adbackup c: -id {B378095C-D929-4711-B30F-63B9057D0E05}

Manually Backup BitLocker Recovery Key to AD

Finally look for the message “Recovery information was successfully backed up to Active Directory”.

Related Posts

3
Leave a Reply

avatar
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Sam Banford
Guest
Sam Banford

There’s also a PowerShell module available (must have Bitlocker feature enabled if in Server OS):
https://docs.microsoft.com/en-us/powershell/module/bitlocker/?view=win10-ps

Same functionality just different interface if you want/need.

Shreedhar R
Guest
Shreedhar R

Thank you Prajwal. This post really helped me.

Dwijen
Guest
Dwijen

Thanks that is really helpful

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More