Store Biklocker keys in Active Directory

Enable Group policy

Enable Policy to allow AD bitlocker keys.

Add Bitlocker viewer feature

On the Domain controller, we need to add "Bitlocker Drive Encryption Administration Utilities"

After, we should be able to see it in Active directory users and computers.

Add computer with Bilocker already activated

From power shell with admin rights.

Force update of group policies.

PS C:\Windows\system32> gpupdate /Target:Computer /Force
Updating policy...


Computer Policy update has completed successfully.

Upload keys to AD

PS C:\Windows\system32> $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
PS C:\Windows\system32> $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
PS C:\Windows\system32> Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID


  ComputerName: COMPUTER


VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection
                Point                                   Percentage                           Enabled    Status
----------      ----- ---------- ------------           ---------- ------------              ---------- ----------
OperatingSystem C:        476.31 FullyEncrypted         100        {Tpm, RecoveryPassword}              On


PS C:\Windows\system32> BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID


   ComputerName: COMPUTER


VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection
                Point                                   Percentage                           Enabled    Status
----------      ----- ---------- ------------           ---------- ------------              ---------- ----------
OperatingSystem C:        476.31 FullyEncrypted         100        {Tpm, RecoveryPassword}              On

Easy copy paste

$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID

References

• BitLocker and Active Directory Domain Services (AD DS) FAQ
• BitLocker Group Policy settings
• How to See Which Group Policies are Applied to Your PC and User Account
• Active Directory – How to display Bitlocker Recovery Key

Daniel Simao 16:20, 4 December 2019 (EST)