Active Directory – How to display Bitlocker Recovery Key
When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.
The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.
With Active Directory Users And Computers, we can:
- Display Bitlocker Recovery key for one computer.
- Search in all Active Directory for a Password ID.
- Delegate Rights to display confidential information.
Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information. It is integrated in features since Windows Server 2008.
To install Bitlocker Recovery Key feature:
- Go to Server Manager.
- On Features Page select Remote Server Administration Tools.
- Check Bitlocker Drive Encryption Administration Utility.
- Check Bitlocker Drive Encryption Tools.
- Bitlocker Recovery Password Viewer.
After the installation, just close and open Active Directory Users And Computers again.
A new tab is now available on computer object: Bitlocker Recovery with some information:
- Recovery Key : this key must be given to the user if needed.
- Computer name and date
- Password ID: User must give you this information. (First 8 digit)
Bitlocker Recovery Key Lookup Tool
Sometime, you don’t have the computer name because the remote user doesn’t know it. You only have first 8 digit code. Don’t panic, there is a solution for that too. 🙂
We can search for 8 digit code in all computer objects:
- Right click on your domain name.
- Select Find Bitlocker Recovery Password.
- Enter the first 8 digit and click Search. You will find the computer and the recovery key.
If a helpdesk team exists in your enterprise, you maybe want to give them the right to display this information. However, Recovery key is a confidential information and standard users can not view it.
We need to delegate some rights on the targeted OU to specific group.
- Right click on the targeted OU and select Delegate Control.
- Add groups which need to view Recovery Key.
- Select Create a custom task to delegate.
- Choose Only the following object in the folder and check MSFVE-RecoveryInformation objects.
- Give Full Control on this object.
- Helpdesk user can now view Recovery information.
You can get more information about Bitlocker here.