BitLocker is a great out of the box encryption tool for disk volumes. If you know about this technology, you realize that the most challenging part in deployment BitcLocker is the disk recovery key and how to backup it up. It is always a challenging thing when talking about encryption, to make sure you the the decryption key. Decryption keys never expire and should always be archived somewhere. How to backup BitLocker Keys is a fundamental piece of knowledge that you should look at and consider if you are deploying BitLocker.

Well, Microsoft did a great job documenting different ways for doing that. One of those methods is to backup keys to Active Directory. Simple, easy, even you can control this behavior via Group Policies.


Let me describe the problem with BitLocker AD Key Backup and Recovery. Imagine that you have enabled BitLocker key recovery in Active Directory. This will simply create an entry per volume on a specific multi value attribute in the computer object in Active Directory. So if you have a computer with two disks, and both are encrypted with BitLocker, then the computer object of that computer will have two entries representing the volume encryption key for each disk

backup BitLocker 2

Things can turn nasty if you deleted that computer object from Active Directory. Think about this scenario also. A computer has C drive with O.S and D drive for data, both are encrypted with BitLocker. You decided to format the C drive and join it again to the domain, so you formatted the C drive, deleted the computer object AD, and you joined it to the domain again. Now think about the recovery key for the D drive in this scenario.  It is lost the moment you deleted the computer object.

Bad things happen and believe me that you will always find your self in a situation where computer objects get deleted, even as part of organized cleanup process. You will end up, getting back to AD restore or AD recycle bin, and believe me, they are not that easy to deal with.

How to backup BitLocker Keys

What actually makes me sleep at night, is an insurance that what ever happen in Active Directory, I can always recover disks encrypted with BitLocker. So I created a simple script, that will go to each computer account in Active Directory, read BitLocker volume recovery keys, and store that data in a csv file. I even made a schedule task that will run the script every week, and through a csv file for those recovery keys. If something went wrong, and I want to recover data on an encrypted disk, I can always get back to the latest csv file.

The script need to be run using an account that has read access to computer objects and BitLocker recovery information. You can read this article that shows how to delegate access to an account, so that it can read BitLocker recovery information.

Note : The machine from which the script will run, should have Quest Active Directory PowerShell extensions.

Script Output

The “How to backup BitLocker Keys” script will output a csv file with Object Name, Computer Name, and other attributes. The most important one is the (Recovery Password) field. This is the one that you can use to unlock a BitLocker volume.

backup BitLocker 4

Download the script 

The “How to backup BitLocker Keys” script can be download the script from Microsoft TechNet Gallery.


 Collect information from the whole directory and save the output CSV file to C:\Scripts

 Collect information from the whole directory and save the output CSV file current directory

 Collect information from computers under a certain AD Organizational Unit (OU), and save the output CSV file to C:\Scripts