Escrow BitLocker recovery information in Active Directory at IU
On this page:
- Overview
- Escrow BitLocker recovery information
- Verify that the key has been escrowed
- Access Bitlocker recovery information
Overview
The policy setting described here allows you to manage the Active Directory Domain Service (AD DS) backup of BitLocker Drive Encryption recovery information. For more, see the tab for the policy "Turn on BitLocker backup to Active Directory Domain Services" within gpedit.msc
.
In addition to following the instructions below to escrow the recovery information in Active Directory, UITS recommends saving a copy of the recovery information in at least one other location.
Prerequisites
- You must have Windows 8.x or later.
- BitLocker must be turned off.
- The computer must be joined to Indiana University's ADS domain.
- You must have administrative credentials on the computer on which BitLocker is being configured.
Escrow BitLocker recovery information
To escrow BitLocker recovery information in Active Directory in Windows:
- To open the
Run
dialog box, pressWindows-r
(theWindows
key and the letterr
). - Type
gpedit.msc
and click . - Expand , expand , and expand . Click .
- Under , select .
- Select .
- Select .
- Select .
- Click , and then .
- Under , select .
- Select .
- Select .
- Select .
- Click , and then .
- Under , select .
- Select and .
- Click , and then .
Verify that a key has been escrowed
Even if you're using an account that doesn't have access to view the recovery key directly, you can still verify that a machine's BitLocker key is escrowed. In Active Directory Users and Computers (ADUC), in the entry for the machine, check the
tab. You'll see one of the following results:- Key not escrowed: "No Items in this view. To search for a recovery password, right click on the domain object in tree view, and select 'Find Bitlocker Recovery Password...'"
- Key escrowed, but the viewer does not have rights to see the key: "Cannot retrieve recovery password information. Cannot get the password attribute of a recovery password record. Make sure you have sufficient permission to access the recovery password."
- Key escrowed and viewer has rights to see the key: The date added and password ID will be visible, and the details section will be filled in, including the recovery password (typically eight sets of six digits).
Access Bitlocker recovery information
If you have lost all copies of the recovery information and cannot access the escrowed key yourself:
- Check with your local UITS support person or other department representative; they may have escrowed the recovery information, subject to institutional guidelines.
- If no one in your department can access the recovery key, and it was previously escrowed in Active Directory, contact the University Information Policy Office (UIPO) at
uipo@iu.edu
.If your request meets the guidelines in Privacy of Electronic Information and Information Technology Resources (IT-07) and any other applicable IU policies, UIPO will contact you and explain how to proceed. They must be able to verify that you are the owner of the computer. The preferred method of verification is for UIPO to provide the recovery information to the owner of the Active Directory computer object.
This is document avit in the Knowledge Base.
Last modified on 2024-04-15 16:42:10.