Boris Moore
August 10, 2022
Updated September 5, 2022

How to save BitLocker keys in AD (Active Directory)


This tutorial will help you add BitLocker recovery keys to Windows AD.

Preparatory phase

To set up secure BitLocker key storage in AD, your platform must meet the following requirements:

  • Operating system, at least Win 8.1 Enterprise; Win 10 PRO
  • Client PCs must have a TPM 2.0
  • Update the ADMX files

Step 1: Create an Organizational Unit

To enable secure storage of encrypted disk keys in the domain, you must configure a Group Policy object.

Open the GPO management panel (you can find it by searching for a group policy management system, or you can use the command:


Create a new group policy in the organizational unit with the computers on which you want to automatically store keys (For example, it will be the OU ClientPC).

1 BitLocker

Step 2: Create and configure a GPO (Group Policy Object)

Create a separate Group policy, go to the GPO section listed in the example below and enable the “Store BitLocker recovery information in AD policy”.

2 BitLocker

Next, go to the "Operating system Drives" section and activate the "Choose how BitLocker-protected operating system drives can be recovered" policy.

3 BitLocker


The last point in this option is used to prevent BitLocker from encrypting the disk until the PC sends the key to the domain.

If you want to save the recovery keys to flash drives, configure the policy under "Group Policy Objects": "Removable Data Drives" and "Fixed Data Drives".

Step 3: Update Group Policy Object

Update the policy settings on the client computers:

gpupdate /force

4 BitLocker

Step 4: BitLocker drive encryption

Encrypt your drive with BitLocker.

5.1 BitLocker

Your key is stored in the domain, the drive is automatically encrypted.

Several BitLocker passwords can be used per PC (for different portable flash drives).

Step 5: If the disc is already encrypted

If the drive has already been encrypted, use the following command.

manage-bde -protectors -get c:

Specify the letter of your drive instead of "c".

6.1 BitLocker

We need "Numerical Password" (e.g. 6CEF9111-61C2-4A09-84E1-2C0F0AAD60D2).

Run the command to add the key to AD.

manage-bde -protectors -adbackup C: -id {6CEF9111-61C2-4A09-84E1-2C0F0AAD60D2}

7 1 BitLocker

Managing BitLocker data in the AD.

To manage and configure BitLocker client computers, you need to install components on the server:

8 BitLocker

After installing the component, you need to restart the server.

Go to the Control Panel for AD users and components, open the properties of the PC, and you will see a new tab called "BitLocker Recovery"; in this tab you can see our encryption key.

9 BitLocker

If one of the users cannot log in, the administrator can find the encryption key in the domain and with this key the user can log in without any problems.

10 1 BitLocker

The recovery key can be found using the first 8 characters (In our example 6CEF9111).

11 BitLocker

To be on the safe side, only the domain administrator has the rights to see the BitLocker key, but this can be fixed by assigning rights to other domain users.


As you can see from the example in this publication, storing encrypted drive keys in the domain is not so difficult, and we hope that our article was helpful!

In addition to the above settings, there are many other options in Group policy that will help you when using BitLocker.

5 out of 5
Аverage rating : 5.0
Rated by: 3
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.