Q. How do I configure my BitLocker recovery password to be stored in Active Directory (AD)?

A. The Windows Server 2008 schema contains an update to allow the BitLocker recovery password to be stored in a child object of the BitLocker-enabled computer object. Doing so is a good idea if you’re deploying BitLocker within your organization.

If you’re running Server 2008 domain controllers (DCs), no schema changes are necessary. If you’re running Windows Server 2003, please see the Microsoft article “Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information.

To enable the BitLocker backup, you’ll need to enable the "Turn on BitLocker backup to Active Directory Domain Services" policy, which you’ll find at Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, as you see in Figure 1.

If you use GPresult /v to examine the Group Policy Resultant Set of Policy (RSoP) ((the /v option enables verbose output), you should find the following setting in the output:

GPO: BitLocker AD Recovery Store
KeyName: Software\Policies\Microsoft\FVE\RequireActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled

When BitLocker is enabled on the computer, the recovery password will be stored in a child object of the computer of type msFVE-RecoveryInformation, as Figure 2 shows. Note that the actual recovery key is stored in the msFVE-RecoveryPassword attribute. A child object will be created for each volume encrypted with BitLocker.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.