At IU, how can I escrow BitLocker recovery information in Active Directory?

The policy setting described here allows you to manage the Active Directory Domain Service (AD DS) backup of BitLocker Drive Encryption recovery information. For more, see the Explain tab for the policy "Turn on BitLocker backup to Active Directory Domain Services" within gpedit.msc.

On this page:


Prerequisites

  • You must have Windows Vista or later.
  • BitLocker must be turned off.
  • The computer must be joined to Indiana University's ADS domain.
  • You must have administrative credentials on the computer on which BitLocker is being configured.

Instructions

To escrow BitLocker recovery information in Active Directory:

Windows 10, 8.x, and 7

  1. To open the Run dialog box, press Windows-r (the Windows key and the letter r).
  2. Type gpedit.msc and click OK.
  3. Expand Computer Configuration, expand Administrative Templates, and expand Windows Components. Click BitLocker Drive Encryption.
  4. Under Operating System Drives, select Choose how BitLocker-protected operating system drives can be recovered.
  5. Select Enabled and Save BitLocker recovery information to AD DS for operating system drives.
  6. Click Apply, and then OK.
  7. Under Fixed Data Drives, select Choose how BitLocker-protected fixed data can be recovered.
  8. Select Enabled and Save BitLocker recovery information to AD DS for fixed data drives.
  9. Click Apply, and then OK.
  10. Under Removable Data Drives, select Choose how BitLocker-protected removable drives can be recovered.
  11. Select Enabled and Save BitLocker recovery information to AD DS for removable data drives.
  12. Click Apply, and then OK.

Windows Vista

  1. To open the Run dialog box, press Windows-r (the Windows key and the letter r).
  2. Type gpedit.msc and click OK.
  3. Expand Computer Configuration, expand Administrative Templates, and expand Windows Components. Click BitLocker Drive Encryption.
  4. Double-click Turn on BitLocker backup to Active Directory Domain Services.
  5. Select Enabled.
  6. Select Require BitLocker backup to AD DS.
  7. Select Recovery Passwords and key packages.
  8. Click Apply, and then OK.

If your department leverages Active Directory to manage your Windows computers and you plan to enable BitLocker, top-level policies should automatically escrow the recovery keys into Active Directory unless inheritance is disabled for that Organizational Unit (OU).

Accessing Bitlocker recovery information

The University Information Policy Office (UIPO) can access BitLocker recovery information only if the recovery information was escrowed. UIPO must be able to verify that you are the owner of the computer. The preferred method of verification is for UIPO to provide the recovery information to the owner of the Active Directory computer object.

If your computer does not belong to Active Directory, your IT Pro or other department representative might have escrowed the BitLocker recovery information, subject to institutional guidelines.

In most cases, you should have saved two copies of your recovery information, so you should not need to ask to have it provided to you. If you have lost all copies of the recovery information for a machine that had escrowed the BitLocker recovery information, contact UIPO at uipo@iu.edu. After verification, UIPO staff can provide recovery information that was escrowed to Active Directory.

If your request meets the guidelines in UIPO policy Privacy of Electronic Information and Information Technology Resources (IT-07) and any other applicable IU policies, UIPO will contact you and explain how to proceed.

This is document avit in the Knowledge Base.
Last modified on 2017-07-31 16:30:00.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.