Q: Why do I get a Group Policy error while trying to save BitLocker Recovery Password to Active Directory?

A. Provided you have run the Windows 2008 schema update for your Active Directory (AD), AD can support storing the BitLocker Recovery Password for machines. However, certain Group Policy settings must be enabled and linked to the domain or OU that contains the computers you are trying to save BitLocker Recovery Password information for. Without the correct Group Policy configuration, you will see the following error trying to save protectors to Active Directory:

C:\>manage-bde -protectors -adbackup c: -id {B97F4CF1-C4A2-4D1E-9076-27E16FD3345F}
BitLocker Drive Encryption: Configuration Tool version 6.2.9200
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

ERROR: Group policy does not permit the storage of recovery information
to Active Directory. The operation was not attempted.

 The policies that must be enabled at minimum for OS drives to have backup to AD are these:

  • Computer Configuration - Policies - Administrative Templates - System - Trusted Platform Module Services - Turn on TPM backup to Active Directory Domain Services - Enabled
  • Computer Configuration - Policies - Administrative Templates - Windows Components - BitLocker Drive Encryption - Store BitLocker recovery information in Active Directory Domain Services - Enabled
  • Computer Configuration - Policies - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives - Choose how BitLocker-protected operating system drives can be recovered - Enabled and ensure Save BitLocker recovery information to AD DS for operating system drives is checked

  • The same setting (Choose how BitLocker-protected operating system drives can be recovered) for removable and data drives is available under the Fixed Data Drives and Removable Data Drives folder of BitLocker Drive Encryption is available and should also be enabled if you want to back up to AD.

My final Group Policy Object looks like the following (note I also have settings to allow BitLocker without a TPM so I can test on virtual machines).