Escrow BitLocker recovery information in Active Directory at IU

On this page:


Overview

The policy setting described here allows you to manage the Active Directory Domain Service (AD DS) backup of BitLocker Drive Encryption recovery information. For more, see the Explain tab for the policy "Turn on BitLocker backup to Active Directory Domain Services" within gpedit.msc.

Note:
There is a top-level BitLocker policy that is applied to all machines (unless Block Inheritance is enabled) that will allow UISO to potentially recover the drive data if no other option exists (for example, if no one in your department has the rights to see the BitLocker key). However, the BitLocker key must have been previously escrowed. That policy in and of itself does not escrow the BitLocker key. Drives encrypted before April 26, 2015, will not inherit the policy. For drives encrypted before this date, you'll need to back up the key manually.

In addition to following the instructions below to escrow the recovery information in Active Directory, UITS recommends saving a copy of the recovery information in at least one other location.

Prerequisites

  • You must have Windows 7 or later.
  • BitLocker must be turned off.
  • The computer must be joined to Indiana University's ADS domain.
  • You must have administrative credentials on the computer on which BitLocker is being configured.

Escrow BitLocker recovery information

To escrow BitLocker recovery information in Active Directory for Windows 10, 8.x, and 7:

  1. To open the Run dialog box, press Windows-r (the Windows key and the letter r).
  2. Type gpedit.msc and click OK.
  3. Expand Computer Configuration, expand Administrative Templates, and expand Windows Components. Click BitLocker Drive Encryption.
  4. Under Operating System Drives, select Choose how BitLocker-protected operating system drives can be recovered.
  5. Select Enabled and Save BitLocker recovery information to AD DS for operating system drives.
  6. Click Apply, and then OK.
  7. Under Fixed Data Drives, select Choose how BitLocker-protected fixed data can be recovered.
  8. Select Enabled and Save BitLocker recovery information to AD DS for fixed data drives.
  9. Click Apply, and then OK.
  10. Under Removable Data Drives, select Choose how BitLocker-protected removable drives can be recovered.
  11. Select Enabled and Save BitLocker recovery information to AD DS for removable data drives.
  12. Click Apply, and then OK.

Verify that a key has been escrowed

Even if you're using an account that doesn't have access to view the recovery key directly, you can still verify that a machine's BitLocker key is escrowed. In Active Directory Users and Computers (ADUC), in the entry for the machine, check the Bitlocker Recovery tab. You'll see one of the following results:

  • Key not escrowed: "No Items in this view. To search for a recovery password, right click on the domain object in tree view, and select 'Find Bitlocker Recovery Password...'"
  • Key escrowed, but the viewer does not have rights to see the key: "Cannot retrieve recovery password information. Cannot get the password attribute of a recovery password record. Make sure you have sufficient permission to access the recovery password."
  • Key escrowed and viewer has rights to see the key: The date added and password ID will be visible, and the details section will be filled in, including the recovery password (typically eight sets of six digits).

Access Bitlocker recovery information

If you have lost all copies of the recovery information and cannot access the escrowed key yourself:

  1. Check with your IT Pro or other department representative; they may have escrowed the recovery information, subject to institutional guidelines.
  2. If no one in your department can access the recovery key, and it was previously escrowed in Active Directory, contact the University Information Policy Office (UIPO) at uipo@iu.edu.

    If your request meets the guidelines in UIPO policy Privacy of Electronic Information and Information Technology Resources (IT-07) and any other applicable IU policies, UIPO will contact you and explain how to proceed. They must be able to verify that you are the owner of the computer. The preferred method of verification is for UIPO to provide the recovery information to the owner of the Active Directory computer object.

This is document avit in the Knowledge Base.
Last modified on 2018-06-28 13:41:43.

Contact us

For help or to comment, email the UITS Support Center.