The recovery key refuses to register on the Active Directory

Question

The recovery key refuses to register on the Active Directory

Epice_08 20

Good morning,

My IT provider recently ran a GPO on the DC server to enable Bitlocker.

However, on one of my computers, I had to remove the protection to try to update the TPM 1.2 to 2.0. So, after concluding that it was not possible, I left the TPM in 1.2 and activated Bitlocker.

However, the recovery key refuses to register on the Active Directory. Thus, the old recovery key remains and I cannot register the new one on the Active Directory.

How can one manually trigger the transmission of the recovery key on the DC?

Cordially

Nobuko IT 236 Reputation points

2023-03-05T10:12:34.2266667+00:00

hi! @Epice_08
you may have seen this page

Find your BitLocker recovery key in Windows

https://support.microsoft.com/ja-jp/windows/windows-%E3%81%A7-bitlocker-%E5%9B%9E%E5%BE%A9%E3%82%AD%E3%83%BC%E3%82%92%E8%A6%8B%E3%81%A4%E3%81%91%E3%82%8B-6b71ad27-0b89-ea08-f143-056f5ab347d6
Epice_08 20 Reputation points

2023-03-05T10:56:07.34+00:00

I must have misspoken.

On re-enabling bitlocker encryption, the recovery key did not change on the DC. So the drive key is not good and I can't use the recovery key stored on the active directory when needed.

Is there a solution for the computer to transmit the new recovery key to the active direcotry?

Finally, I specify that I am not on an azure active directory

Nobuko IT 236 Reputation points

2023-03-05T10:12:34.2266667+00:00

hi! @Epice_08
you may have seen this page

Find your BitLocker recovery key in Windows

https://support.microsoft.com/ja-jp/windows/windows-%E3%81%A7-bitlocker-%E5%9B%9E%E5%BE%A9%E3%82%AD%E3%83%BC%E3%82%92%E8%A6%8B%E3%81%A4%E3%81%91%E3%82%8B-6b71ad27-0b89-ea08-f143-056f5ab347d6
Epice_08 20 Reputation points

2023-03-05T10:56:07.34+00:00

I must have misspoken.

On re-enabling bitlocker encryption, the recovery key did not change on the DC. So the drive key is not good and I can't use the recovery key stored on the active directory when needed.

Is there a solution for the computer to transmit the new recovery key to the active direcotry?

Finally, I specify that I am not on an azure active directory

Answer 1

Hello there,

By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object.

The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The manage-bde.exe command-line tool can also be used to manually back up recovery information to AD DS.

BitLocker and Active Directory Domain Services (AD DS) https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

The recovery key refuses to register on the Active Directory

0 additional answers

Activity