- \n
- Click the Search icon in the taskbar and type “group policy<\/strong>“. You can then click Group Policy Management<\/strong> to launch it.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/open-group-policy-management.png\")
\n<\/li>\n- Now in the left pane of Group Policy Management, right-click your AD domain and select “Create a GPO in this domain, and Link it here\u2026<\/strong>” from the menu.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/create-a-gpo-in-this-domain.png\")
\n<\/li>\n- In the New GPO dialog, give the GPO a name and click OK<\/strong>.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/name-the-new-gpo.png\")
\n<\/li>\n- Right-click the newly-created GPO in the left pane, and select Edit<\/strong>.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/edit-domain-policy.png\")
\n<\/li>\n- Browse to
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption<\/code>, and then double-click the policy “Store BitLocker recovery information in Active Directory Domain Services<\/strong>“.\n![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/bitlocker-drive-encryption-policy.png\")
\n<\/li>\n- Set the policy to Enabled<\/strong>. Make sure the “Require BitLocker backup to AD DS<\/strong>” option is checked, and select to store both recovery passwords and key packages.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/require-bitlocker-backup-to-ad-ds.png\")
\n<\/li>\n- Next, expand BitLocker Drive Encryption<\/strong> in the left pane. You’ll see three nodes: Fixed Data Drives, Operating System Drives, Removable Data Drives. Just select Fixed Data Drives and double-click the policy “Choose how BitLocker-protected fixed drives can be recovered<\/strong>“.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/choose-how-bitlocker-drive-be-recovered.png\")
\n<\/li>\n- Set it to Enabled<\/strong>. Check the options “Save BitLocker recovery information to AD DS for fixed drives” and then click OK.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/save-bitlocker-recovery-info-to-ad-for-fixed-drives.png\")
\n<\/li>\n- Go to the “Operating System Drives” node and turn on the similar policy “Choose how BitLocker-protected operating system drives can be recovered<\/strong>“. Afterwards, go to the “Removable Data Drives” node and enable the policy “Choose how BitLocker-protected removable drives can be recovered<\/strong>“.<\/li>\n
- When any client PC retrieves the policy changes, BitLocker recovery information will be automatically and silently backed up to AD DS when BitLocker is turned on for fixed drives, OS drives or removable drives.<\/li>\n<\/ol>\n
Manually Backup BitLocker Password to AD with PowerShell<\/strong><\/p>\n
If you have enabled BitLocker prior to configuring the above GPO policy, you can use PowerShell cmdlets to manually upload the BitLocker recovery key to Active Directory. Follow these steps:<\/p>\n
- Now in the left pane of Group Policy Management, right-click your AD domain and select “Create a GPO in this domain, and Link it here\u2026<\/strong>” from the menu.\n
![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/find-bitlocker-id-for-drive.png\")
<\/p>\n![\"\"](\"https:\/\/www.top-password.com\/blog\/wp-content\/uploads\/2019\/04\/backup-bitlocker-recovery-key-to-ad-with-powershell.png\")
\n<\/li>\n