Where Are Bitlocker Keys Stored In Ad Now

By understanding how BitLocker recovery keys are stored in AD and following best practices for managing recovery keys, organizations can ensure the confidentiality and integrity of data stored on their computers.

BitLocker recovery passwords (and key packages) are stored in as attributes of the computer object that has BitLocker enabled.

The Architecture of Recovery: Where and How BitLocker Keys Are Stored in Active Directory where are bitlocker keys stored in ad

To configure BitLocker to store recovery keys in AD, follow these steps:

Open ADUC on a domain controller or a machine with RSAT installed. Ensure Advanced Features is enabled under the View menu. Locate the specific computer account. Right-click the computer and select Properties. Navigate to the BitLocker Recovery tab. By understanding how BitLocker recovery keys are stored

The AD Schema must be updated to include the BitLocker attributes. This has been standard since Windows Server 2008, so most modern environments are already prepared. Group Policy Configuration

However, beginning with Windows 10 and Windows Server 2016, the default behavior changed. The TPM OwnerAuth is now stored only locally in the TPM registry hive (if the registry is configured for this) and is no longer automatically backed up to AD by default, as the TPM 2.0 standard handles authorization differently than TPM 1.2. Administrators must be aware of this distinction when managing mixed environments. Ensure Advanced Features is enabled under the View menu

Here’s a helpful, concise guide on where BitLocker keys are stored in Active Directory (AD) and how to access them.

Starting with Windows 8 and Windows Server 2012, Microsoft introduced a second storage mechanism. Modern Group Policy settings allow for the backup of BitLocker recovery information to the User Object (the account of the individual logged in when the key is generated).

msFVE-RecoveryGuid: The unique ID that matches the ID shown on the user's BitLocker recovery screen.