Setting up BitLocker for an OU in

UW-Madison's AD ( BitLocker Documentation for OUs

Getting Started

This article was used as a template for this document: Backing up BitLocker and TPM Recovery Information to AD DS

Some helpful sample scripts, but not necessarily needed:
Add an ACE to write TPM recovery information to AD DS
List the ACE's configured on TPM and BitLocker schema objects
Retrieve TPM owner information from AD DS
Retrieve BitLocker recovery information from AD DS

Delegate permissions for backing up TPM password information with Active Directory Users and Computers (ADUC)

  1. Make sure to run "dsa.msc" as an OU account that has access to write information.
  2. In ADUC (dsa.msc), right click on the OU that contains your computer objects and select "Delegate Control..."
  3. Click "Next".
  4. Click "Add...", and type "SELF", click "Check Names", then click "OK".
  5. Click "Next",
  6. Select "Create a custom take to delegate", then click "Next".
  7. Select "Only the following objects in the folder:", select "Computer objects", and then click "Next".
  8. Select "Property-specific", select "Write msTPM-OwnerInformation", and click "Next".
    • Note: Only "Property-specific" and "Write msTPM-OwnerInformation" are to be selected. De-selecting "General", then clicking "Back", then "Next" should clear the unnecessary boxes. If that fails to work, manually de-selecting the unnecessary boxes will suffice.
  9. Click "Finish".

Create a minimal group policy to backup BitLocker and TPM recovery information to

  1. Open "gpmc.msc" as your OU administrative account.
  2. Create a new policy and link it to your computer's OU.
  3. Edit the policy:
    • Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption
      • Enable - Store BitLocker recovery information in Active Directory Domain Services
        • Require BitLocker backup to AD DS
        • Recovery passwords and key packages
      • Optional, but required for certificate-based data recovery agents: set Provide the unique identifiers for your organization
      • Operating System Drives -> Require additional authentication at startup
        • Enabled
        • Leave all defaults - should be set to allow, not require. This ensures computers without TPM can still encrypt drives.
      • Operating System Drives -> Choose how BitLocker-protected operating system drives can be recovered
        • Enabled
        • check the box for "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
        • Check the box for "Omit recovery options from the BitLocker setup wizard".

Note: Feel free to configure the rest of the BitLocker policies as your needs require. The settings above are purely the minimum needed to store recovery keys in Active Directory.

Delegate access to BitLocker recovery keys

  1. Create a security group following the AD Naming Convention:
    Campus Active Directory - Naming Convention
  2. In Active Directory Users & Computers, right click the OU that contains your computer objects.
  3. Click "Delegate Control".
  4. Click "Next".
  5. Add the group that you created in step one.
  6. Click "Next".
  7. Create a custom task to delegate.
  8. Click "Next".
  9. Only the following objects in the folder:
    • msFVE-REcoveryInformation objects
  10. Click "Next".
  11. Click "Full Control".
  12. Click "Next".
  13. Click "Finish".

Turn on BitLocker on your client.
Note: This may require a feature install depending on the Operating System version.

Once BitLocker is enabled, you can verify in Active Directory that there is a recovery key associated with the computer. You can use the BitLocker management plugin or PowerShell to retrieve the recovery key.

For Powershell:

-> Get-ADComputer computername | Get-ADObject -pr * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated

Keywordsbitlocker ad active directory ou   Doc ID72670
OwnerMST SupportGroupIdentity and Access Management
Created2017-04-18 10:26:26Updated2023-08-09 14:08:40
SitesIdentity and Access Management
Feedback  1   0