BitLocker is like backup. It’s good to have it. It’s better to have the restore verified as well.
If you’re planning to implement BitLocker into your organization (or already have that), it’s good to know what’s the choice of storing the recovery password:
- save to a file – either usb stick or unc share
- backup to ActiveDirectory
- backup to Azure ActiveDirectory
- use MBAM
More information can be found here.
For me, the best approach would be to:
- use GPO to encrypt end user device AND store the password in Active Directory
This can be configured here: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Store BitLocker recovery information in Acive Directory Domain Services.
This also ensures that encryption won’t start if recovery key failed to be backed up to AD.
- use Intune and encrypt user device AND store the password in Azure Active Directory with self-service key recovery feature
This doesn’t introduce the cost of MBAM or SCCM.
What if you already have your drives encrypted, and now want to improve the process od recovering information? As always – PowerShell to the rescue. To send information to AD we can use Backup-BitLockerKeyProtector. It can accept either KeyProtectorID or the ID itself. Retrieving those is simple.
Ways to get BitLocker recovery key information to AD and Azure AD
We can get the information using manage-bde tool:
Send to AD
This is more fun (objects) do I’ll describe this. Let’s first get information about our volumes:
As you can see I have only one drive, encrypted with TPM. To get the information we require just select-object
This returns two objects for each drive. We’re interested in the second object
Let’s store the information to ActiveDirectory now:
If I would have more drives, this would come in handy:
Azure Active Directory
Same goes with sending RecoveryKey to Azure AD, this time with BackupToAAD-BitLockerKeyProtector:
Now the best part – how to get the information back. Since Windows 2008 BitLocker Recovery Key is stored in AD in msFVE-RecoveryInformation objectclass aassociated to Computer. To get that we first need to get Computer Object and then search Active Directory for ObjecClass of given type. This is assuming your account have rights to read the information from AD in the first place! (great article here)
I’m using custom objects for better readability. Date shiws when the drive was encrypted, not when the information was backed up.
From Azure AD
There is a delay between using BackupToAAD-BitLockerKeyProtector and the information showing on AzureAD. Give it time to synchronize 🙂
Go to https://myapps.microsoft.com, go to the “Profile” page and see all the registered devices:
From there You can view the recovery password for You devices.
Btw – it’s not very intuitive – You cannot access this informatorom directly from office.com -> profie pages.