The following Group Policy settings can be used to configure BitLocker recovery key storage in AD:
You must enable the policy: Choose how BitLocker-protected operating system drives can be recovered. Within this policy, the option to "Backup BitLocker recovery information to Active Directory Domain Services" must be checked. Permissions
Storing BitLocker recovery keys in AD provides several benefits, including: where are bitlocker keys stored in ad
msFVE-RecoveryGuid: The unique ID that matches the ID shown on the user's BitLocker recovery screen.
While the 48-digit recovery password is the most common key stored, BitLocker also interacts with the Trusted Platform Module (TPM). Historically, AD also stored the TPM owner authorization (OwnerAuth) in the msTPM-OwnerInformation attribute of the Computer Object. The following Group Policy settings can be used
However, beginning with Windows 10 and Windows Server 2016, the default behavior changed. The TPM OwnerAuth is now stored only locally in the TPM registry hive (if the registry is configured for this) and is no longer automatically backed up to AD by default, as the TPM 2.0 standard handles authorization differently than TPM 1.2. Administrators must be aware of this distinction when managing mixed environments.
| Item | Location in AD | |------|----------------| | Recovery password | msFVE-RecoveryPassword on computer object | | Recovery GUID | msFVE-RecoveryGuid | | Key package | msFVE-KeyPackage | | Parent object | Computer object (class: computer ) | | Storage object class | msFVE-RecoveryInformation | While the 48-digit recovery password is the most
Open ADUC on a domain controller or a machine with RSAT installed. Ensure Advanced Features is enabled under the View menu. Locate the specific computer account. Right-click the computer and select Properties. Navigate to the BitLocker Recovery tab.
To store BitLocker recovery keys in AD, the following requirements must be met:
The following Group Policy settings can be used to configure BitLocker recovery key storage in AD:
You must enable the policy: Choose how BitLocker-protected operating system drives can be recovered. Within this policy, the option to "Backup BitLocker recovery information to Active Directory Domain Services" must be checked. Permissions
Storing BitLocker recovery keys in AD provides several benefits, including:
msFVE-RecoveryGuid: The unique ID that matches the ID shown on the user's BitLocker recovery screen.
While the 48-digit recovery password is the most common key stored, BitLocker also interacts with the Trusted Platform Module (TPM). Historically, AD also stored the TPM owner authorization (OwnerAuth) in the msTPM-OwnerInformation attribute of the Computer Object.
However, beginning with Windows 10 and Windows Server 2016, the default behavior changed. The TPM OwnerAuth is now stored only locally in the TPM registry hive (if the registry is configured for this) and is no longer automatically backed up to AD by default, as the TPM 2.0 standard handles authorization differently than TPM 1.2. Administrators must be aware of this distinction when managing mixed environments.
| Item | Location in AD | |------|----------------| | Recovery password | msFVE-RecoveryPassword on computer object | | Recovery GUID | msFVE-RecoveryGuid | | Key package | msFVE-KeyPackage | | Parent object | Computer object (class: computer ) | | Storage object class | msFVE-RecoveryInformation |
Open ADUC on a domain controller or a machine with RSAT installed. Ensure Advanced Features is enabled under the View menu. Locate the specific computer account. Right-click the computer and select Properties. Navigate to the BitLocker Recovery tab.
To store BitLocker recovery keys in AD, the following requirements must be met: