When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.
The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.
With Active Directory Users And Computers, we can:
- Display Bitlocker Recovery key for one computer.
- Search in all Active Directory for a Password ID.
- Delegate Rights to display confidential information.
Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information. It is integrated in features since Windows Server 2008.
To install Bitlocker Recovery Key feature:
- Go to Server Manager.
- On Features Page select Remote Server Administration Tools.
- Check Bitlocker Drive Encryption Administration Utility.
- Check Bitlocker Drive Encryption Tools.
- Bitlocker Recovery Password Viewer.
After the installation, just close and open Active Directory Users And Computers again.
A new tab is now available on computer object: Bitlocker Recovery with some information:
- Recovery Key : this key must be given to the user if needed.
- Computer name and date
- Password ID: User must give you this information. (First 8 digit)
Bitlocker Recovery Key Lookup Tool
Sometime, you don’t have the computer name because the remote user doesn’t know it. You only have first 8 digit code. Don’t panic, there is a solution for that too. 🙂
We can search for 8 digit code in all computer objects:
- Right click on your domain name.
- Select Find Bitlocker Recovery Password.
- Enter the first 8 digit and click Search. You will find the computer and the recovery key.
If a helpdesk team exists in your enterprise, you maybe want to give them the right to display this information. However, Recovery key is a confidential information and standard users can not view it.
We need to delegate some rights on the targeted OU to specific group.
- Right click on the targeted OU and select Delegate Control.
- Add groups which need to view Recovery Key.
- Select Create a custom task to delegate.
- Choose Only the following object in the folder and check MSFVE-RecoveryInformation objects.
- Give Full Control on this object.
- Helpdesk user can now view Recovery information.
In the example above, I set the right to Full Control on the property. The explanation is that the property has the confidential bit and if you want to read it, you need to have the Control_Access flag. Control_Access is granted if the account has Full Control in the delegation wizard.
Otherwise, it is possible to set the Control_Access flag with LDP.exe to read only.
You can get more information about Bitlocker here.
Excellent article, thanks.
1 question, Will this affect any permissions already previously delegated to the group ?
Pingback: Active Directory – How to display Bitlocker Recovery Key
Thank you for posting this article. I found it very useful.
Exactly what I was looking for. Much easier than trying to run the VB scripts Microsoft provides. I knew there had to be some property that could be accessed via the delegation wizard. Thank you for getting me there quicker.
Thanks a lot the your efforts , it helps so much
Very useful. The screenshots are much appreciated!