SOLVED

Bitlocker backup to active directory

%3CLINGO-SUB%20id%3D%22lingo-sub-401455%22%20slang%3D%22en-US%22%3EBitlocker%20backup%20to%20active%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401455%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EWe%20have%20windows%2010%20(domain%20joined)%20with%20Bitlocker%20enabled%20with%20TPM%20and%20startup%20pin.%3C%2FP%3E%3CP%3EUp%20until%20now%20we%20created%20a%20recovery%20key%20file%20for%20each%20computer.%3C%2FP%3E%3CP%3EWe%20want%20to%20move%20those%20computers%20recovery%20keys%20to%20Active%20Directory.%3C%2FP%3E%3CP%3EDo%20we%20need%20any%20policy%20for%20this%20or%20can%20this%20be%20done%20via%20script%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-402654%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20backup%20to%20active%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-402654%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255442%22%20target%3D%22_blank%22%3E%40RahamimL%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell%20you%20can%20use%20cmdlet%20Backup-BitlockerKeyProtector%20to%20accomplish%20your%20goal.%3C%2FP%3E%3CP%3EFor%20computer%20that%20will%20get%20installed%20we%20like%20to%20set%20the%20GPO%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgpsearch.azurewebsites.net%2F%232596%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20storage%20of%20BitLocker%20recovery%20information%20to%20AD%20DS%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehth%3C%2FP%3E%3CP%3EMarkus%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-402829%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20backup%20to%20active%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-402829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255442%22%20target%3D%22_blank%22%3E%40RahamimL%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eafaik%20the%20GPO%20is%20not%20needed%20but%20that%20can%20be%20tested.%3C%2FP%3E%3CP%3EI'd%20get%20this%20GPO%20in%20place%20anyhow%20to%20make%20sure%20someone%20can%20decrypt%20the%20drive%20if%20needed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-402690%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20backup%20to%20active%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-402690%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F150395%22%20target%3D%22_blank%22%3E%40Markus%20Klocker%3C%2FA%3Eso%20the%20policy%20isn't%20required%3F%20We%20have%20both%20Workstations%20and%20Laptops%20and%20we%20want%20to%20backup%20the%20recovery%20keys%20only%20to%20the%20laptops.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi all,

We have windows 10 (domain joined) with Bitlocker enabled with TPM and startup pin.

Up until now we created a recovery key file for each computer.

We want to move those computers recovery keys to Active Directory.

Do we need any policy for this or can this be done via script?

3 Replies
best response confirmed by RahamimL (Frequent Contributor)
Solution

@RahamimL 

Well you can use cmdlet Backup-BitlockerKeyProtector to accomplish your goal.

For computer that will get installed we like to set the GPO:
Configure storage of BitLocker recovery information to AD DS

 

hth

Markus

@Markus Klockerso the policy isn't required? We have both Workstations and Laptops and we want to backup the recovery keys only to the laptops.

@RahamimL 

afaik the GPO is not needed but that can be tested.

I'd get this GPO in place anyhow to make sure someone can decrypt the drive if needed.