BitLocker to Go & Save the Recovery key in Active Directory

Before you start wit to Go your domain controllers must be . You must upgrade your Schema.

After done that I made a policy named to Go.
You can find the Policy under: Computer Configuration | Policies | Administrative Templates: Policy Definitions | Components | Drive Encryption | Removable Data Drives.

I enabled the following policies:

Choose How Removable Drives Can Be Recovered


At first you must select the Allow Agent option. This option should be selected by default, but since this option is what makes the entire key recovery process possible, it is important to verify that the option is enabled.

Next, you will enable the Omit Recovery Option From The Setup Wizard option. This prevents users from saving or printing their own copies of the recovery key.

Next, you will have to select the Save Recovery Information to AD DS for Removable Data Drives. This is the option that actually saves the recovery keys to the Active Directory.

Finally, you should select the Do Not Enable Until Recovery Information Is Stored To AD DS For Removable Data Drives option. This option forces to confirm that the recovery has been written to the before is allowed to encrypt the drive. That way, you do not have to worry about a power failure wiping out the recovery key half way through the encryption process.

SP2 & SP3 can only read the bitlocker stick.

Translate »
%d bloggers like this: