BitLocker with Active Directory



Here’s the deal:

  • you want to deploy BitLocker on your workstations
  • you want to backup the recovery keys and TPM info to Active Directory
  • your domain and forest functional level is Windows Server 2012 R2 (at least that’s where I performed all this)

If your level differs, it may still work, but according to older tutorials, if you’re below 2008 you’ll need to extend the schema and stuff, so in that case, search for another tutorial. If your levels are fine, rest assured, it will be much more straightforward than most tutorials suggest it with pages and pages of instructions. Let’s start!

Domain Controllers

You need to check whether your AD schema contains the necessary objects, refer to the article Checking BitLocker and TPM Schema Objects. For me all the required object were present OOB. Like I said, if you’re at least on 2008 they should be there.

You also need to install the BitLocker Drive Encryption Administration Utilities on your domain controllers via Server Manager:

Now you gotta set some permissions so that the computers are allowed to save TPM ownership info to the directory. For this, open Active Directory Users and Computers, right click your domain root, select Properties, go to the Security tab and click Advanced. There you’ll see a whole bunch of ACEs (Access Control Entries), from which you gotta find the one assigned to the SELF principal and applies to Descendant Computer objects (most likely you’ll have only one).

Edit this entry, and scroll down until you find the checked Write msTPM-TpmInformationForComputer entry. All you gotta do is check the Write msTPM-OwnerInformation entry, too, then click OK.

Don’t worry if the checkbox won’t actually get checked coz all that will happen is you’ll get a new entry with this permit.


Create a new GPO (Group Policy Object) for BitLocker settings, set security filtering to Domain Computers (or whatever computer group you want) and link it to an OU that contains a test computer. Now you need to configure the following:

  • Enable Computer Configuration / Administrative Templates / System / Trusted Platform Module Services / Turn on TPM backup to Active Directory Domain Services: this won’t let the computer start encrypting the drive without successfully backing up the recovery info to AD first.
  • Enable Computer Configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives / Require additional authentication at startup to enable BitLocker on comps without TPM and to require a startup key even with TPM (if you wonder why you want this, read the related article about the cold boot attack).
    • Check Allow BitLocker without a compatible TPM
    • Do not allow TPM
    • Do not allow startup PIN with TPM
    • Allow startup key with TPM
    • Do not allow startup key and PIN with TPM
  • Enable Computer Configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives / Enforce drive encryption type on operating system drives and set encryption type to Full encryption. Repeat this for Fixed Data Drives.
  • Enable Computer Configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives / Choose how BitLocker-protected fixed drives can be recovered (repeat this for Fixed Data Drives, too).
    • Allow data recovery agent
    • Omit recovery options from the BitLocker setup wizard
    • Save BitLocker recovery information to AD DS
    • Store recovery passwords and key packages
    • Do not enable BitLocker until recovery information is stored in AD DS


It’s really simple. Just open File Explorer and right click the OS drive and select Turn on BitLocker.

Then proceed with a system check and creating a startup key. After you reboot, it’ll put a .BEK file on your thumb drive (this is the key you’ll use to unlock the computer at startup) and start to encrypt your drive, but you’re free to reboot at any time, it’ll continue where it left off. Make sure to encrypt the OS drive first, otherwise you won’t be able to auto-unlock data drives.

Also keep in mind that BitLocker’s only available in Windows 8 Pro and Windows 7 Ultimate or Enterprise. It is not available in Windows 7 Pro.


Remember, you don’t need to backup your thumb drives used for startup because the recovery keys are automatically backed up to AD when BitLocker’s turned on. Just open the properties of the appropriate computer object and go to the BitLocker Recovery tab.

If you don’t know which computer it is, just right click on your domain root and click Find BitLocker recovery password where you can find the recovery key by the first few digits of the password ID shown to you by the computer at startup.

If you want to replace a missing/damaged startup key, start the computer with this recovery password, then in an elevated command prompt:

manage-bde -protectors -delete C: -type externalkey
manage-bde -protectors -add C: -startupkey