The recovery key refuses to register on the Active Directory

Epice_08 40 Reputation points

Good morning,

My IT provider recently ran a GPO on the DC server to enable Bitlocker.

However, on one of my computers, I had to remove the protection to try to update the TPM 1.2 to 2.0. So, after concluding that it was not possible, I left the TPM in 1.2 and activated Bitlocker.

However, the recovery key refuses to register on the Active Directory. Thus, the old recovery key remains and I cannot register the new one on the Active Directory.

How can one manually trigger the transmission of the recovery key on the DC?


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,001 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
{count} votes

Accepted answer
  1. Limitless Technology 44,011 Reputation points

    Hello there,

    By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object.

    The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The manage-bde.exe command-line tool can also be used to manually back up recovery information to AD DS.

    BitLocker and Active Directory Domain Services (AD DS)

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

0 additional answers

Sort by: Most helpful