In this post I will show you how to manually backup the BitLocker recovery key to Active Directory. This should also help you to backup recovery information in AD after BitLocker is turned ON in Windows OS.

BitLocker is an encryption feature available in Windows 10 Professional and Enterprise editions. However it requires a Trusted Platform Module (TPM) on the system. When used with TPM, BitLocker provides the best security.

There are some situations where you might need to manually upload the BitLocker key to AD :-

  • Imagine that you have imaged a machine with Windows 10 OS. You enable BitLocker encryption and join the machine to domain.You might now want to backup the BitLocker key to AD.
  • May be the machine was not connected to the network when BitLocker was enabled. Hence the recovery information couldn’t be saved to Active Directory.
  • Probably the Group policy setting to save the recovery information to AD was not enabled at the time of encryption.
  • You notice that computer object in AD doesn’t show the BitLocker recovery key. You troubleshoot the issue and fix the group policy issue. However you might want to manually save the key to AD.

Manually Backup BitLocker Recovery Key to AD

There is an easy way to manually backup BitLocker Recovery key to Active Directory. You do not need to decrypt and re-encrypt the drive to store the recovery information in AD.

First of all you require local admin rights to run manage-bde commands. So ensure you are using the correct account to perform the steps.

On your Windows 10 computer, you can use manage-bde.exe command to save the recovery information in AD. If you have not enabled BitLocker encryption, you must first do that. Encrypt your hard drive and temporarily save the recovery key in a file.

Most of all remember that the below steps will work only if the client machine has received the group policy setting to save the information to AD. Otherwise you will see the error: Group Policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.

Open an elevated command prompt and run the below command.

manage-bde -protectors -get c:

Running the above command outputs the TPM details, Numerical password and BitLocker recovery key. Note down the numerical password protector of the volume.

Manually Backup BitLocker Recovery Key to AD

To manually backup BitLocker recovery key to Active Directory, run the below command. Remember to replace -id with your Numerical Password.

manage-bde -protectors -adbackup c: -id {B378095C-D929-4711-B30F-63B9057D0E05}

Manually Backup BitLocker Recovery Key to AD

Finally look for the message “Recovery information was successfully backed up to Active Directory”.

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.