Active Directory 2012

Active Directory – How to display Bitlocker Recovery Key

When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.

The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.

With Active Directory Users And Computers, we can:

  • Display Bitlocker Recovery key for one computer.
  • Search in all Active Directory for a Password ID.
  • Delegate Rights to display confidential information.

Feature installation

Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information. It is integrated in features since Windows Server 2008.

To install Bitlocker Recovery Key feature:

  • Go to Server Manager.
  • On Features Page select Remote Server Administration Tools.
  • Check Bitlocker Drive Encryption Administration Utility.
    • Check Bitlocker Drive Encryption Tools.
    • Bitlocker Recovery Password Viewer.
Bitlocker Recovery Key Feature

Bitlocker Recovery Key Feature

Computer Object

After the installation, just close and open Active Directory Users And Computers again.

A new tab is now available on computer object:  Bitlocker Recovery with some information:

  • Recovery Key : this key must be given to the user if needed.
  • Computer name and date
  • Password ID:  User must give you this information. (First 8 digit)
Bitlocker Recovery Key Tab

Bitlocker Recovery Key Tab

Bitlocker Recovery Key Lookup Tool

Sometime, you don’t have the computer name because the remote user doesn’t know it. You only have first 8 digit code. Don’t panic, there is a solution for that too. 🙂

We can search for 8 digit code in all computer objects:

  • Right click on your domain name.
  • Select Find Bitlocker Recovery Password.
Find Bitlocker Recovery Password

Find Bitlocker Recovery Password

  • Enter the first 8 digit and click Search. You will find the computer and the recovery key.
Bitlocker Find Recovery Key

Bitlocker Find Recovery Key

Delegation Rights

If a helpdesk team exists in your enterprise, you maybe want to give them the right to display this information. However, Recovery key is a confidential information and standard users can not view it.

Bitlocker Recovery Key Standard User

Bitlocker Recovery Key Standard User

We need to delegate some rights on the targeted OU to specific group.

  • Right click on the targeted OU and select Delegate Control.
OU Delegate Control

OU Delegate Control

  • Add groups which need to view Recovery Key.
Delegate Group

Delegate Group

  • Select Create a custom task to delegate.
Custom task to delegate

Custom task to delegate

  • Choose Only the following object in the folder and check MSFVE-RecoveryInformation objects.
MSFVE-RecoveryInformation

MSFVE-RecoveryInformation

  • Give Full Control on this object.
Full Control Right

Full Control Right

  • Helpdesk user can now view Recovery information.
Recovery Key Granted user

Recovery Key Granted user

Note

In the example above, I set the right to Full Control on the property. The explanation is that the property has the confidential bit and if you want to read it, you need to have the Control_Access flag.  Control_Access is granted if the account has Full Control in the delegation wizard.

Otherwise, it is possible to set the Control_Access flag with LDP.exe to read only.

More

You can get more information about Bitlocker here.

Share

7 thoughts on “Active Directory – How to display Bitlocker Recovery Key

  1. Excellent article, thanks.
    1 question, Will this affect any permissions already previously delegated to the group ?

  2. Pingback: Active Directory – How to display Bitlocker Recovery Key

  3. Exactly what I was looking for. Much easier than trying to run the VB scripts Microsoft provides. I knew there had to be some property that could be accessed via the delegation wizard. Thank you for getting me there quicker.

Leave a Reply

Your email address will not be published. Required fields are marked *