Manually Backup BitLocker Recovery Key to Active Directory
Issue
I have a machine that has previously been BitLocker protected and I now need to backup the recovery key into active directory.
Solution
STEP 1: Get the ID for the numerical password protector of the volume, in the example below we are using the C: drive.
Run the command from an admin command prompt.
manage-bde -protectors -get c:
Example output:
Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: [Old Win7]
All Key Protectors
External Key:
ID:{F12ADB2E-22D5-4420-980C-851407E9EB30}
External Key File Name:
F12ADB2E-22D5-4420-980C-851407E9EB30.BEK
Numerical Password:
ID:{DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
In the above output, you would find an ID and Password for Numerical Password protector.
STEP 2: Use the numerical password protector’s ID from STEP 1 to backup recovery information to AD
In the below command, replace the GUID after the -id with the ID of Numerical Password protector.
manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.
You should now be able to view the recovery information for the volume in the active directory.
