Apr 07 2019 10:11 AM
Hi all,
We have windows 10 (domain joined) with Bitlocker enabled with TPM and startup pin.
Up until now we created a recovery key file for each computer.
We want to move those computers recovery keys to Active Directory.
Do we need any policy for this or can this be done via script?
Apr 08 2019 01:30 AM
SolutionWell you can use cmdlet Backup-BitlockerKeyProtector to accomplish your goal.
For computer that will get installed we like to set the GPO:
Configure storage of BitLocker recovery information to AD DS
hth
Markus
Apr 08 2019 01:34 AM
@Markus Klockerso the policy isn't required? We have both Workstations and Laptops and we want to backup the recovery keys only to the laptops.
Apr 08 2019 01:45 AM
afaik the GPO is not needed but that can be tested.
I'd get this GPO in place anyhow to make sure someone can decrypt the drive if needed.
Apr 08 2019 01:30 AM
SolutionWell you can use cmdlet Backup-BitlockerKeyProtector to accomplish your goal.
For computer that will get installed we like to set the GPO:
Configure storage of BitLocker recovery information to AD DS
hth
Markus