How to store bitlocker recovery information in AD DS


This is a follow on from question:-

We have Windows 7 Enterprise clients and a Server 2012 domain.  We do not have SCCM.  We will be enabling Bitlocker on our machines manually at the same time as the image is applied and are only using it to encrypt the system drive, however, we need the recovery information to be automatically stored in AD DS.  

Is there any way to do this without using MBAM in a Windows 7/Server 2012 environment.  MBAM seems overly complex for our needs and we would rather not have to install it on our server & clients if it can be avoided.

Is there an easier way to achieve this end result without the hassle of getting MBAM up and running?  We are on a tight deadline with machines ready to go right now, so a quick / simple solution would be the ideal.

FriendlyITInfrastructure TeamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In your previous question, I uploaded a screenshot. This is what you are asking for. No MBAM required.
FriendlyITInfrastructure TeamAuthor Commented:
Hi McKnife,

Thanks for responding again.

Can you tell me where exactly the Group Policy is so that I can find it?

Is there nothing else necessary on the server side to enable this?

How would you decrypt a drive encrypted using that policy?

I really hoped I had made my point clear before (in the previous thread): don't start until you feel you can answer all my questions. Now you write "We are on a tight deadline" and at the same time you wonder how to decrypt drives? That's the basics, they need to be understood first, not asked in forums :|

The policies are located at computer config -  Windows Components\BitLocker Drive Encryption\

one for Operating System Drives and one for fixed data drives. Title as in the screenshot: " Choose how BitLocker-protected operating system drives can be recovered", settings just as in the screenshot.
Same for removable drives at  Windows Components\BitLocker Drive Encryption\Removable Data Drives

Decryption is not needed, ever. Restore from your image backup. If you insist on needing to decrypt, use administrative rights together with the recovery key, start it via contect menu "manage bitlocker", then "turn off bitlocker" (=decrypt).
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

FriendlyITInfrastructure TeamAuthor Commented:
We have been trying to understand it but are not finding the documentation to be particularly clear and is conflicting which is why we are posting questions here in an effort to better understand it.  If there is clear documentation somewhere that will help us do this, then please point us in the right direction.  We have been looking at this for several months have managed to manually encrypt some drives successfully with a TPM PIN (or a USB key for a few that don't support TPM) and have stored the keys ourselves in a central location.  Just asking me a load of questions as you did in the previous thread helps me know what I don't understand but doesn't help me to understand it better.  We are now at a point where we need to go live with this and the deadline is not ours and is not moveable so we are having to deal with this as best we can.  I know this is not ideal, but this is the situation we are in.
That is understood and I expected nothing else. My point is, this is extremely dangerous terrain, you need to know what you are doing. If the recovery keys are safe, all is well, but for your comfort, I urge you to try and answer all questions I had. My offer was to answer those you can't answer for you/together with you.
FriendlyITInfrastructure TeamAuthor Commented:
OK - I will repost your questions here for completeness and then discuss with my colleagues what we do and don't understand.


 1 What bitlocker functions are there for OS drives as opposed to removable drives?
 2 Which of those do I need?
 3 Do my OS' offer these functions I need?
 4 What is it about a TPM that with default settings, only TPM machines may use bitlocker?
 5 What would it mean for security not to use a TPM?
 6 What does Bitlocker call a protector?
 7 What protectors can I use?
 8 Depending on the chosen protector(s) and the rest of the setup, what attack types are still possible and can I live with that?
 9 What is MBAM and am I entitled to use it?
 10 How could we initiate the encryption and what options are there for it?
 11 Who would have access to the protectors and their backup information?
 12 How would we backup and restore the encrypted drives' contents?
 13 What would we do if someone is unable to start their computer because of OS corruption?
 14 What to do if someone cannot start their machine because of bitlocker?
FriendlyITInfrastructure TeamAuthor Commented:

Well McKnife, your suggestions only gave part of the picture.  We ended up with these settings which are now working.

Working Bitlocker GPO settings
We got this from here:-

Source: TechNet Blog - Cannot save recovery information for Bitlocker in Windows 7
Bitlocker Group Policy Settings

We also had to install the Bitlocker RSAT tools on the DC's.

Installing Bitlocker RSAT tools
One we had done all that, encrypted drives would automatically write to AD DS.

You can also back up the Bitlocker information for already encrypted drives like this:-

Open Command Prompt as administrator on the relevant machine.


manage-bde -protectors -get c:

Open in new window

Manage-bde -protectors -get c:
Copy the Numerical Password ID to clipboard.


manage-bde -protectors -adbackup c: -id {Numerical Password ID}

Open in new window

manage-bde -protectors -adbackup c: -id {Numerical Password ID}
Source: Technet: How to backup recovery information in AD after Bitlocker is turned on in Windows 7

Once it is in AD – you can search for it using the first 8 characters of the Password ID.

Find Bitlocker Recovery Password in AD
Find Bitlocker Recovery Password in AD [2]
Alternatively if you navigate to the device in AD, you can see the Bitlocker tab in the computer properties.

Bitlocker AD tab
Hope this helps someone else!  Thanks for getting us on the right track.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Installing the server component has nothing to do with recovery information being backed up or not. It is just for viewing this information, by the way.
FriendlyITInfrastructure TeamAuthor Commented:
Yes, I am aware of that.  This was from our internal documentation and I felt was still relevant for people that might be looking at this.  The main thing was that there were extra policies required to get this working which I included in the documentation.
If you look closely, it were just those that I described. TPM backup is something else and not needed to decrypt. The only policy I did not mention of those shown, is the one for vista7 and 2008, not needed for newer OS'.
FriendlyITInfrastructure TeamAuthor Commented:
Hi McKnife.

I don't want to get into an argument.  I gave you the points.  However the changes you suggested did not work on their own.  We had to make the other changes that I have outlined before things started working.  I have added them for anyone else that has the same problem, not to try and make you look bad.

Not received as if you made me look bad, it's just that if you compare (yes, I did) you'll see that you simply missed some of the steps that I suggested - those were just the same that your screenshot shows - just the same. :)
FriendlyITInfrastructure TeamAuthor Commented:
Well your screenshot only referred to the fixed drive policy which wasn't sufficient.

I have just checked back though and you did say "Same to do for OS drives." but I didn't see that line.  If it had been in the screenshot I definitely wouldn't have missed it.

My apologies for not spotting that comment.
FriendlyITInfrastructure TeamAuthor Commented:
The solutions suggested did not give all of the information required to get this working.  My solution shows what we had to do to get this working in the end.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.