.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Storing Bitlocker keys in Samba Active Directory
  :keywords: Security, Samba-AD, documentation, Bitlocker

.. _samba_bitlocker_ad:

################################################
Storing Bitlocker keys in Samba Active Directory
################################################

This strategy configures the storage of *BitLocker* decryption keys in an Active Directory domain controller, preventing unrecoverable data loss.

Open :guilabel:`Group Policy Management` on your management machine, then create a new GPO object for the computers on which you want to activate *Bitlocker*.

Here we will apply a GPO to the root of the domain to force *Bitlocker* on the operating system drive without a compatible secure encryption module (smart card,…).

Enable the policy in your GPO with :menuselection:`Computer Configuration -> Administrative Templates-> Windows Components -> Bitlocker Drive Encryption -> Save BitLocker recovery information in Active Directory Domain Services`.

.. figure:: ../images/bitlocker.png
  :align: center
  :scale: 50%
  :alt: Recording Bitlocker information

  Recording Bitlocker information

Then enable this strategy in your GPO with :menuselection:`Computer Configuration -> Administration Models -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives -> Select the method for recovering operating system drives protected by Bitlocker`.

.. figure:: ../images/select_method.png
  :align: center
  :scale: 50%
  :alt: Selecting the recovery method

  Selecting the recovery method

Finally, the last necessary step in our case is to allow *Bitlocker* without a compatible secure encryption module. You must therefore activate the following strategy in your GPO with :menuselection:`Computer Configuration -> Policies -> Administration Models -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives -> Request additional authentication at boot time`.

Tick :guilabel:`Authorize Bitlocker` without a compatible secure platform module.

.. figure:: ../images/noTPM.png
  :align: center
  :scale: 100%
  :alt: Allowing Bitlocker without a TPM module

  Allowing Bitlocker without a TPM module

From now on, each computer in the domain activating *Bitlocker* will have its key registered in AD.

To view these keys, launch Enable or disable Windows features and enable the feature :menuselection:`Remote server administration tools -> Feature administration tools -> Bitlocker Recovery Password Viewer`.

.. code-block:: bash

    regsvr32.exe bdeaducext.dll

The tab :guilabel:`Bitlocker Recovery` must now appear in the properties of each *BitLocker* enabled host.

.. figure:: ../images/proprietes.png
  :align: center
  :scale: 100%
  :alt: Properties of the computer

  Properties of the computer