Microsoft Enterprise Platforms Support: Windows Server Core Team
Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “BitLocker Drive Encryption and Active Directory”
BitLocker Recovery Information (msFVE-RecoveryInformation) can be backed up in Active Directory by configuring GPO for BitLocker.
BitLocker Recovery Information is stored as a child object of the computer object in AD.
To configure GPO, see the blog below:
But there are some tasks, which a system administrator does related to computer objects in AD.
1. Rejoining a machine to the domain.
If you re-join a BitLocker Encrypted machine, to the domain, we do not touch the BitLocker Recovery Information (msFVE-RecoveryInformation attribute). The BitLocker Information remains the same.
You will still see the same BitLocker Recovery Information in AD for the computer object.
2. Renaming a computer which has BitLocker Drive Encryption
If you rename a computer which has BitLocker already turned ON, we do not touch the child objects or the BitLocker Recovery Information. The only key point is the all the BitLocker Recovery information (Recovery Keys) will be listed as child objects of the new computer object.
So when you want to search for Recovery Password for the computer object, use BitLocker Recovery Password Viewer.
3. Computer Object is deleted from Active Directory.
If you delete a computer object from AD, you will also delete the BitLocker Recovery Information which is a child object.
To restore the deleted computer object, you will have to use AD Restore Mode to retrieve the object
If you are using Windows 2008 R2, configure the AD Recycle Bin
Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.
I hope the above information would be useful to everyone. Thanks for your time to read the above information.
Manoj Sehgal Senior Support Escalation Engineer Microsoft Enterprise Platforms Support
Thanks. What happens in a scenario where a client with Bitlocker enabled gets joined to a domain. Is it necessary to first decrypt the drive and then re-encrypt post domain join?
What happens when you use AD restore to readd the computer object. Is there anything extra to do get the child object for BitLocker?