- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Now that we’ve used BitLocker to encrypt an operating system Drive, a fixed data drive, and a removable drive, we should have recovery information for all three drives in Active Directory.
View the BitLocker Recovery Password in AD
To view the information, first make sure that you’ve installed the BitLocker Recovery Password Viewer. Go into Active Directory Users & Computers and view the properties of your Computer object by double-clicking on it. Go to the BitLocker Recovery tab and you should now see the recovery keys for all of the drives encrypted on the system.
BitLocker Recovery Key in Active Directory
View TPM owner information in Active Directory
If you chose to back up the TPM owner information in Active Directory, here’s how you can find it in AD. First, you’ll need to enable Advanced Features in Active Directory Users and Computers. You can do this by clicking on the View menu and clicking Advanced Features. If Advanced Features already has a check mark by it, it is enabled.
Active Directory Advanced Features
View the Computer object properties by double-clicking on the computer name. Go to the Attribute Editor and scroll down to msTPM-OwnerInformation.
View TPM Information
Put BitLocker recovery information into Active Directory manually
In the event you’ve got computers that have BitLocker encrypted drives and you didn’t have your Active Directory configured yet to back up that information, you can still put that information into AD. On the system that has the BitLocker encrypted drive, in a command prompt elevated with admin rights, run the command:
manage-bde -protectors -get c:
You should get something like this:
View BitLocker Backup Recovery Information on the command prompt
Notice that I’ve highlighted a section of the output. Take the ID number and run the following command:
manage-bde -protectors -adbackup c: -id {yourdrivesIDnumber}
Hopefully, you’ll see a success message:
Backup BitLocker Recovery information manually to Active Directory
In the event you need to do this for more than a handful of systems, there’s a great script on TechNet that will allow you to put this information into AD for Windows 7 systems.
I have locked my pen drive from my windows 7 lap top and it crashed not because of this … another reason… the point is that the lap top is being repaired and am using my old lap top which has Windows XP and I can’t access the pen drive and I urgently need the info stored there… there is no option to put my password in at all… How can I access it now …?? :-)))
Annabel – You may want to re-read Part 5 of the series: https://4sysops.com/archives/set-up-active-directory-for-bitlocker-part-5-bitlocker-to-go/. There should be a utility on the drive that will allow you to read the files in XP. Sorry, you’ll need Windows 7 to write to the drive.
Dear Kyle,
Thank you so much…. so simple and was right there under my nose… was looking into the wrong part.
Thanks again
Nice… I have wrote script to export recovery information
http://ammarhasayen.wordpress.com/?s=bitlocker&submit=Search
Hi,
really great article here.
my computer is asking for bitlocker recovery key.
when i check the bitlocker recovery password tab in Active directory, no information is available.
may i know some reason behind why it's not backup in my domain controller?
thank you,
Vino