By default, BitLocker recovery information is not automatically written to Active Directory Domain Services (AD DS). Without proper Group Policy settings, recovery keys generated during encryption are stored only locally, making centralized management and recovery difficult.
You can centrally store BitLocker recovery keys in AD DS by enabling the appropriate Group Policy setting in your domain:
Path:
Computer Configuration → Policies → Windows Components → BitLocker Drive Encryption → Store BitLocker recovery information in Active Directory Domain Services
Once this policy is enabled, BitLocker automatically saves the recovery data under the corresponding computer object in Active Directory.
The entries follow a structure similar to:
CN=2025-05-20T12:39:11+01:00{FJ12RUG0-V1234-4J21-99E8-FK42VKBM42FJM}
This consists of:
- The timestamp indicating when the BitLocker information was stored (typically the time of domain join)
- A GUID identifying the specific BitLocker recovery entry
Inside this object, an attribute contains the actual BitLocker recovery key.