Would you like to learn how to configure a group policy to store the Bitlocker recovery key in Active Directory? In this tutorial, we will show you how to backup the Bitlocker recovery key inside the Active Directory using a GPO.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 10
• Windows 7

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Windows Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Windows.

Tutorial GPO – Store the Bitlocker recovery key in Active Directory

On the domain controller, start an elevated Powershell command-line.

Windows 10 - powershell elevated

Verify if the Active Directory schema has the required attributes.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Install the feature named RSAT-Feature-Tools-BitLocker-BdeAducExt.

Copy to Clipboard

On the domain controller, open the group policy management tool.

Windows 2012 - Group Policy Management

Create a new group policy.

Windows 2012 - Group Policy Objects

Enter a name for the new group policy.

Windows - Add GPO

In our example, the new GPO was named: MY-GPO.

On the Group Policy Management screen, expand the folder named Group Policy Objects.

Right-click your new Group Policy Object and select the Edit option.

Windows - Edit GPO

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Bitlocker Drive Encryption.

GPO - Bitlocker configuration

Enable the item named: Store BitLocker Recovery information in Active Directory Domain Services.

Copy to Clipboard

Click on the OK button.

GPO - Bitlocker Recovery Key Active Directory

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Operating System Drives.

GPO - Bitlocker - Operating System Drives

Enable the item named: Choose how BitLocker-protected Operating System drives can be recovered.

Copy to Clipboard

Click on the OK button.

GPO - Bitlocker recovery Operating System drives

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Fixed Data Drives.

GPO - Bitlocker - Fixed Drives

Enable the item named: Choose how BitLocker-protected fixed drives can be recovered.

Copy to Clipboard

Click on the OK button.

GPO - Bitlocker recovery Fixed drives

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Removable Data Drives.

GPO - Bitlocker - Removable Drives

Enable the item named: Choose how BitLocker-protected Removable drives can be recovered.

Copy to Clipboard

Click on the OK button.

GPO - Bitlocker recovery Removable drives

To save the group policy configuration, you need to close the Group Policy editor.

Congratulations! You have finished the GPO creation.

Tutorial – Applying the GPO to store the Bitlocker recovery key in Active Directory

On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.

Windows-2012-Applocker application

In our example, we are going to link the group policy named MY-GPO to the root of the domain.

GPO- tutorial linking

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers.

After encrypting a computer, verify if the Bitlocker recovery keys were stored in Active Directory.

Bitlocker - Recovery password in Active directory

In our example, we configured the Bitlocker recovery key to be stored in Active Directory.