Automatic key backup is configured via a Group Policy Object (GPO). Where do BitLocker recovery keys get stored in AD?
Under this policy, you must check the option: bitlocker keys in active directory
The Active Directory schema must be extended to include BitLocker-specific attributes. Automatic key backup is configured via a Group
Second, Active Directory logs every access to a computer object’s attributes, including BitLocker recovery keys. This provides a tamper-evident audit trail: who retrieved which key, for which machine, and at what time. This is invaluable for compliance frameworks such as ISO 27001, HIPAA, and PCI-DSS , which require demonstrable controls over access to decryption keys. Second, Active Directory logs every access to a
Despite its benefits, storing keys in AD introduces a significant risk: If an attacker gains Domain Admin privileges, they could potentially retrieve every BitLocker key in the organization, rendering disk encryption useless. Therefore, several mitigations are mandatory:
You must configure the policy to force the backup. This is found in: