BitLocker Drive Encryption and Active Directory

Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “BitLocker Drive Encryption and Active Directory”

BitLocker Recovery Information (msFVE-RecoveryInformation) can be backed up in Active Directory by configuring GPO for BitLocker.

BitLocker Recovery Information is stored as a child object of the computer object in AD.

To configure GPO, see the blog below: https://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx

But there are some tasks, which a system administrator does related to computer objects in AD.

1. Rejoining a machine to the domain.

If you re-join a BitLocker Encrypted machine, to the domain, we do not touch the BitLocker Recovery Information (msFVE-RecoveryInformation attribute). The BitLocker Information remains the same.

You will still see the same BitLocker Recovery Information in AD for the computer object.

2. Renaming a computer which has BitLocker Drive Encryption

If you rename a computer which has BitLocker already turned ON, we do not touch the child objects or the BitLocker Recovery Information. The only key point is the all the BitLocker Recovery information (Recovery Keys) will be listed as child objects of the new computer object.

So when you want to search for Recovery Password for the computer object, use BitLocker Recovery Password Viewer. https://support.microsoft.com/kb/928202

3. Computer Object is deleted from Active Directory.

If you delete a computer object from AD, you will also delete the BitLocker Recovery Information which is a child object.

To restore the deleted computer object, you will have to use AD Restore Mode to retrieve the object

OR

If you are using Windows 2008 R2, configure the AD Recycle Bin

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers. https://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx

I hope the above information would be useful to everyone. Thanks for your time to read the above information.

More Information: https://blogs.technet.com/b/askcore/archive/tags/bitlocker/ https://blogs.technet.com/b/bitlocker/

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Comments

• Anonymous
  November 22, 2011
  Thanks. What happens in a scenario where a client with Bitlocker enabled gets joined to a domain. Is it necessary to first decrypt the drive and then re-encrypt post domain join?
• Anonymous
  December 12, 2012
  What happens when you use AD restore to readd the computer object. Is there anything extra to do get the child object for BitLocker?-Mark
• Anonymous
  December 18, 2013
  Pingback from Shaking BitLocker – Backup keys to AD and play around | Ammar Hasayen - Blog
• Anonymous
  September 13, 2014
  How to recover Bitlocker password after deleted user from active directory.