How to save BitLocker keys in AD (Active Directory)

Within the confines of this informative tutorial, you shall embark on a path unveiling the seamless integration of BitLocker recovery keys into the esteemed realm of Windows Active Directory (AD). By adroitly adhering to the following steps, the security of your BitLocker-protected drives shall attain unparalleled fortification, as a centralized repository for imperative recovery information is established. Such a diligent undertaking ensures the safeguarding of your precious data, rendered accessible through clear and succinct guidance. Let us commence this expedition, empowering your AD with the treasured wisdom of BitLocker recovery keys.

Windows Cloud ServersCreate VMs in the cloud based Windows Server OS
License includedTry Windows Server

Requirements

• For setup BitLocker in AD you need to check all requirements accordance this list:
  A Trusted Platform Module (TPM) version 1.2 or newer. This feature is commonly found in most modern computers as a standard inclusion.
• A BIOS/UEFI firmware that supports TPM and has it enabled. Ensure that your computer's BIOS/UEFI settings have TPM enabled to enable smooth BitLocker functionality.
• Secure Boot enabled (if supported by your computer). Activating Secure Boot provides an additional layer of security and complements the TPM feature for enhanced data protection.

Create Policy for domain

To ensure the keys of needed storage within your domain,significant part in our instruction is make and form Group Policy which setup rule of encryption disk. Embrace the power of GPO management, which acts as the gateway to safeguarding BitLocker recovery keys centrally. To embark on this journey, open the GPO management panel.

First of all create object that you want to use in policy, for that open Windows Explorer by pressing combination of keys Win + E, next in the field above enter Control Panel\System and Security\Administrative Tools in that folder choose AD User and Computers:

In that utility create new organization unit or object that you want to apply by policy of disk encryption, for that click on the domain name choose New and Organizational Unit:

Add computer on your machine to OU:

Locating the Group Policy management system is a breeze - simply conduct a search or utilize the following command by pressing Win+R:

Next, establish a new group policy within the designated organizational unit that encompasses the computers where you desire to automatically store keys. For instance, you can apply it to the "Computer" OU. However, we can apply this for any objects in Active Directory: forest, domain, sites, OU or organizational unit all of that can be configured.

Click right mouse on the your object and choose accordance point as in the picture above:

Setup GPO for domain

Begin by establishing a distinct Group Policy. Then navigate to the specified GPO section as illustrated below, and proceed to activate the Store BitLocker recovery information in AD policy option. Follow path Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption, choose that parameter and change value to Enabled.

Let's continue the installation, now you need to go to the folder just below the menu list on the left and select the second Operating folder, which there will be a file with the Store settings, opening it with a double click, go to the panel and select Enabled.

Check all box like in the screen above in options field then make sure that you chek last box due to potential issue of recovery. If you want save keys on removable device you need to choose accordance configuration file and Enabled that function.

Update policy

Next step will be update policy or rules that we configure in the step above, for that type command in the CLI and wait some time:

Managing BitLocker data in the AD

In order to effectively manage and configure BitLocker on client computers, it is imperative to install the required components on the server. By doing so, you gain the capability to oversee and fine-tune BitLocker settings, ensuring optimal security and encryption for the client machines:

After successfully installing the component, a server restart is essential to complete the setup. Once the server is up and running, navigate to the Control Panel for AD users and components. Access the properties of the PC, where you will now find a new tab labeled "BitLocker Recovery." Within this tab, you gain the privilege to view the encryption key, providing essential insight into the BitLocker encryption status and recovery options for the PC.

In the event of a user encountering login difficulties, the domain administrator possesses the capability to retrieve the encryption key from the domain. Armed with this key, the user can effortlessly log in without any impediments. This seamless recovery process ensures swift access and minimizes potential disruptions caused by login complications, guaranteeing a smooth user experience.

In case a user encounters login issues, the administrator holds the ability to retrieve the encryption key from the domain. With this key in hand, the user can effortlessly log in without facing any hindrance. This seamless recovery process ensures swift access and minimizes any potential disruptions caused by login complications.

The recovery key can be conveniently located by utilizing the initial 8 characters, as demonstrated in our example, "6CEF9111." Employing this shortened representation allows for a quick and straightforward retrieval of the full recovery key, ensuring efficient recovery in case of any critical events or issues:

To ensure utmost security, exclusive access to the BitLocker key is granted solely to the domain administrator. Nevertheless, if needed, permissions can be adjusted to provide other domain users with access to the BitLocker key. This flexibility enables a controlled and well-managed approach to granting key retrieval rights, thus empowering the appropriate personnel to access and manage the BitLocker recovery process as required.

BitLocker encryption disk

By clicking on the disk in the target machine choose point with Turn on:

Once your key is securely stored in the domain, BitLocker automatically initiates the encryption process for the drive. This streamlined approach ensures seamless data protection.

Moreover, you have the flexibility to utilize multiple BitLocker passwords on a single PC, each associated with different portable flash drives. This versatile feature allows for convenient and tailored data encryption for various storage devices.

Is disk encrypted?

If you encrypted your disk before that step, then you need to know their ID and add them to the system storage for recovery purposes:

By executing this command, you gain access to the comprehensive details of the BitLocker encryption protectors associated with the specified drive. Replace "c:" with the letter corresponding to the specific drive you wish to inquire about. Upon running the command in either Command Prompt or PowerShell, pertinent information like recovery passwords, recovery keys, or TPM protectors (depending on the encryption method employed for that drive) will be displayed.

In that process we need to retrieve a ID (e.g., 6CEF9111-61C2-4A09-84E1-2C0F0AAD60D2).

To continue, follow the setup instructions and proceed to enter the next command in the provided interface. This pivotal step ensures the seamless progression of the configuration process, unlocking the full potential of BitLocker encryption.:

With this command, the specified key will be securely backed up in Active Directory, ensuring the enhanced protection and recovery of your encrypted drive.

Result

This tutorial has empowered you to implement and manage BitLocker with confidence, enhancing data security and enabling swift recovery measures within the AD environment. As a result, your organization is now equipped to safeguard critical data, reinforcing data protection strategies and mitigating potential risks effectively.