BitLocker to Go & Save the Recovery key in Active Directory

Before you start wit Bitlocker to Go your domain controllers must be 2008 R2. You must upgrade your Schema.

After done that I made a group policy named Bitlocker to Go.
You can find the Bitlocker Policy under: Computer Configuration | Policies | Administrative Templates: Policy Definitions | Components | BitLocker Drive Encryption | Removable Data Drives.

I enabled the following policies:

Choose How BitLocker Removable Drives Can Be Recovered

image

At first you must select the Allow Agent option. This option should be selected by default, but since this option is what makes the entire key recovery process possible, it is important to verify that the option is enabled.

Next, you will enable the Omit Recovery Option From The BitLocker Setup Wizard option. This prevents users from saving or printing their own copies of the recovery key.

Next, you will have to select the Save BitLocker Recovery Information to AD DS for Removable Data Drives. This is the option that actually saves the BitLocker recovery keys to the .

Finally, you should select the Do Not Enable BitLocker Until Recovery Information Is Stored To AD DS For Removable Data Drives option. This option forces Windows to confirm that the recovery has been written to the Active Directory before BitLocker is allowed to encrypt the drive. That way, you do not have to worry about a power failure wiping out the recovery key half way through the encryption process.

SP2 & SP3 can only read the bitlocker stick.

Leave a Reply