How to backup recovery information in AD after Bitlocker is turned ON in Windows 7

  • Article

Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover “How to backup recovery information in AD after Bitlocker is turned ON in Windows 7.”

A common question we are asked is how do I save the recovery information for a Windows 7 machine which has Bitlocker turned ON.

This situation can arise when any of the following conditions are true, but is also not limited to this list:

a)    The machine is Bitlocker’ed prior to joining the Domain.
b)    The machine is not physically connected to the Network when enabling Bitlocker.
c)    When the GPO for Saving Recovery Information for Bitlocker is not setup correctly.

So when we open Active Directory Users and Computers portion of server manager you do not see msFVE-RecoveryInformation for the machine which was encrypted.

In this situation we can use manage-bde command from the client machine to save the recovery information in AD, instead of decrypting and encrypting the Operating system drive again for storing recovery information in AD.
First verify that the client machine is in the correct OU in AD where the Bitlocker group policies are applied and then follow the below steps:

Open elevated command prompt on the client computer and run the below command.

Note: You require local admin rights to run manage-bde commands.

c:> manage-bde -protectors -get c:

Example:

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: [Old Win7]
All Key Protectors
External Key:
ID: {F12ADB2E-22D5-4420-980C-851407E9EB30}
External Key File Name:
F12ADB2E-22D5-4420-980C-851407E9EB30.BEK

    Numerical Password:
ID: {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
Password:
224631-534171-438834-445973-130867-430507-680922-709896

    TPM And PIN:
ID: {EBAFC4D6-D044-4AFB-84E3-26E435067AA5}

If you see results above you should see ID and Password for Numerical Password.

Now run the below command, replace id for ID of Numerical Password.

c:> manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.

Now if you go to AD, and check the client computer you should see msFVE-RecoveryInformation for this client computer.

For more information on Group Policies for Bitlocker, see my blog below.
https://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx

Manoj Sehgal
Senior Support Engineer
Microsoft Enterprise Platforms Support