Configuring Active Directory to Store Bitlocker Recovery Information

GPO Settings:


  1. Open "Group Policy Management".
  2. Navigate the the GPO that's linked to the OU that you want to contain your settings for Bitlocker.
  3. Right click on the GPO and select "Edit"
  4. Navigate to Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption.
  5.  Double Click on "Store Bitlocker Recovery information in Active Directory Domain Services" and configure it as follows: 
    1. click ENABLE 
    2. check the box "Require Bitlocker Backup to AD DS"
  6. Click "OK".
  7. Under Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption, click on the appropriate folder for your configuration.  (Operating System Drives, Fixed Data Drives, or Removable Data Drives)
  8. Double click on "Require additional authentication at startup" and configure your settings as follows:  
    1. click ENABLE 
    2. Check the box, "Allow Bitlocker without a compatible TPM (if there are computers in the domain without TPM chips that require protection)
    3. Under Configure TPM, select Allow TPM
    4. Under Configure TPM with pin, select Allow Startup PIN with TPM
    5. Under Configure TPM startup key, select Allow Startup key with TPM
    6. Under Configure TPM Startup key and PIN. select Allow Startup key and PIN with TPM
  9. Click "OK".
  10. Double click on "Choose how Bitlocker-protected operating system drives can be recovered" and configure it as follows:
    1. check the box, "Allow data recovery agent"
    2. select allow 48 -digit recovery password and allow 256-bit recovery key from the two drop down lists
    3. check the box "Save Bitlocker recovery information to AD DS..."
    4. select "Store Recovery password and key packages" from the drop down list
    5. check the box "information is stored to AD DS for operating system drive
  11. Click "OK".
  12. Navigate to Computer Configuration->Policies->Administrative Templates->System->Trusted Platform Module and set "Turn on TPM backup to Active Directory Domain Services" to "Enabled".
  13. Click "OK".

If a machine has already been encrypted prior to the Group Policy being enforced, you can force it to store its information in Active directory by opening up powershell and typing:
 manage-bde -protectors -get c: to get its bitlocker information and then typing manage-bde -protectors -adbackup c: -id  '{<numerical password ID>}'