Implement BitLocker Recovery Process using self-recovery and recovery password retrieval solutions

What happens if you forget your BitLocker PIN or lose the key? We can implement BitLocker recovery process using self-recovery and recovery password retrieval solutions in Windows Server 2016.

There are a few different methods of recovering BitLocker which we’ll cover here.

Gaining access to a system with BitLocker drive encryption (BDE) essentially involves having the recovery key. The recovery key is created while configuring BitLocker, and can be saved either manually or automatically into Active Directory, depending on group policy settings.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Manual BitLocker Recovery Process

The manual recovery process is most likely what you’ll be using if you’re just using BitLocker yourself or in a very small environment, as it’s easy enough to manage at a small scale. When BitLocker is setup you’ll be provided with a 48 digit recovery key. You can print, save or otherwise store this recovery key in a secure location. If you ever need to perform a BitLocker recovery, simply press ‘esc’ at the BitLocker boot screen and enter the recovery key.

Keep in mind that anyone with access to the recovery key can decrypt the disk that it was setup for, so it is very important that it’s stored securely offline. Likewise if the recovery password is lost and you don’t have any other method of decrypting the disk, the data will not be accessible.

Active Directory BitLocker Recovery Process

Rather than manually saving the BitLocker key to a secure location we can automatically have it sent to an Active Directory domain controller. This allows us to centralize the BitLocker recovery process in our domain. In order to use this method of recovery key storing, it must first be enabled through group policy prior to enabling BitLocker.

Edit your group policy object and browse to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Store BitLocker recovery information in Active Directory Domain Services, as shown below. This policy should be applied to all machines that you wish to configure BitLocker on. Note that it only applies to Windows Server 2008 or earlier.

Group Policy Management Editor BitLocker Settings

Once enabled we have the option of ticking “Require BitLocker backup to AD DS”, which is selected by default.

Group Policy store BitLocker recovery key in Active Directory

This enables machines on the domain that have retrieved the policy changes to not be able to turn on BitLocker unless an active connection to an Active Directory domain controller is available so that the recovery key can be saved to the domain controller. Only after the recovery key has successfully been backed up will the configuration of BitLocker proceed.

For Windows Server 2012 and newer, we enable “Choose how BitLocker protected operating system drives can be recovered” from the Operating System Drives subfolder. There are similar options for Fixed Data Drives or Removable Data Drives as well. By default “Save BitLocker recovery information to AD DS for operating system drives” is enabled, ideally you should also enable “Do not enable BitLocker until recovery information is stored to AD DS for operating system drives”. This ensures that BitLocker can only be turned on if we definitely have a copy of the recovery key stored in AD.

Group Policy choose how BitLocker operating system drives can be recovered

While storing recovery keys in Active Directory is convenient, the recovery keys must be retrieved manually from the domain controller by viewing the computer objects properties and going to the BitLocker Recovery tab.

Computer properties BitLocker Recovery Tab

We can also search Active Directory for a BitLocker recovery password as demonstrated below by simply right clicking the domain and selecting “Find BitLocker recovery Password”.

Active Directory search BitLocker recovery password

This allows us to search for the identifier that is associated with the recovery key, this was provided with the recovery key when BitLocker was enabled.

Find BitLocker recovery password

As we can see here the recovery password is available in AD, confirming that we can centralize the BitLocker recovery process.

Backup BitLocker Password with PowerShell

There are also some useful PowerShell cmdlets available for storing recovery keys in Active Directory. We can use ‘manage-bde’ as shown below to display the recovery password for the drive specified. Note that to do this, the disk must be unlocked which requires that you can first decrypt it.

PowerShell View BitLocker Recovery Password

From the output of this command we can take note of the ID, as we’ll use it next. If you have enabled BitLocker prior to configuring the group policy needed to ensure the recovery keys are stored in Active Directory, fear not! We can use PowerShell to store a BitLocker recovery key into Active Directory by specifying the ‘adbackup’ flag followed by the disk and ID for the password.

PowerShell save BitLocker recovery password in Active Directory

Automatic Self Serve Recovery

Microsoft BitLocker Administration and Monitoring (MBAM) is available to Microsoft’s customers. This is a solution that is targeted towards large organizations. It’s used to centrally manage BitLocker recovery keys, as it allows for self service access to BitLocker recovery keys, allowing a user to retrieve their recovery key securely in the event that they are not able to decrypt their disk. This option would be useful in reducing administrative overhead, as a user could find their own recovery key when needed. This is the best option available to implement BitLocker recovery process using self-recovery in Windows.


We have covered a few different methods showing you how to implement BitLocker recovery process using self-recovery and recovery password retrieval solutions with Active Directory. Without a recovery key you may not be able to get access to your data, so when setting up BitLocker be sure that it’s recorded somewhere, whether that be manually saved somewhere securely offline or in Active Directory.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>