Recovering Bitlocker Keys from Active Directory

BitLocker is a great tool for ensuring that the data on your organization’s computers is protected when laptop computers are misplaced or hard disk drives are stolen. Volumes encrypted using bitlocker can be recovered using the bitlocker recovery tool (which you have to download from Microsoft’s website) if you have the appropriate recovery key. As each BitLocker key is individual (at least that is the case in pure Vista/2008 environments, it looks like it is possible to use an organization wide bitlocker key with Windows 7), the big problem with BitLocker recovery has been keeping track of every computer’s BitLocker keys.

The easiest way to keep track of all keys is to archive them to Active Directory. It saves a lot of effort with setting up an Excel spreadsheet! The Computer Configuration\Administrative Templates\Windows components\BitLocker Drive Encryption node of a Windows Server 2008 GPO contains a policy named Turn on BitLocker Backup To Active Directory Domain Services.

You can configure this policy so that BitLocker cannot be first enabled unless the computer is connected to the domain and the backup of the BitLocker keys to AD succeeds (BitLocker remains on after that). To ensure BitLocker keys are backed up, enable the policy and select the Require BitLocker Backup to AD DS option before deploying BitLocker. You can choose to back up recovery passwords and key packages or just recovery passwords. You should back up both items as this will give you more flexibility when attempting to recover encrypted volumes that might be damaged.

Retrieving a BitLocker key from Active Directory involves using the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. This tool allows you to locate and view BitLocker recovery passwords, assuming that you have Domain Administrator privileges in the domain in which the password is stored and the passwords are archived in AD. You can obtain this tool from Microsoft’s website here:

You should note that the tool is not included with Windows Server 2008 or Windows Vista by default. So although you can archive BitLocker keys to AD, there isn’t any way to retrieve them unless you download this extra tool. Before you run the tool on a DC for the first time, but after you have installed it, it is necessary to run the command regsvr32.exe bdeaducext.dll. The tool itself modifies Active Directory Users and Computers so that when you view a computer account’s properties, there will be a BitLocker Recovery Tab that lists BitLocker recovery passwords associated with the computer account. You can remove the tool using Add or Remove Programs in the Control Panel. Once you’ve recovered the appropriate passwords, you can get on with recovering encrypted data!

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.