Storing Bitlocker keys in Samba Active Directory

This strategy configures the storage of BitLocker decryption keys in an Active Directory domain controller, preventing unrecoverable data loss.

Open Group Policy Management on your management machine, then create a new GPO object for the computers on which you want to activate Bitlocker.

Here we will apply a GPO to the root of the domain to force Bitlocker on the operating system drive without a compatible secure encryption module (smart card,…).

Enable the policy in your GPO with Computer Configuration -> Administrative Templates-> Windows Components -> Bitlocker Drive Encryption -> Save BitLocker recovery information in Active Directory Domain Services.

Then enable this strategy in your GPO with Computer Configuration -> Administration Models -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives -> Select the method for recovering operating system drives protected by Bitlocker.

Finally, the last necessary step in our case is to allow Bitlocker without a compatible secure encryption module. You must therefore activate the following strategy in your GPO with Computer Configuration -> Policies -> Administration Models -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives -> Request additional authentication at boot time.

Tick Authorize Bitlocker without a compatible secure platform module.

Allowing Bitlocker without a TPM module

From now on, each computer in the domain activating Bitlocker will have its key registered in AD.

To view these keys, launch Enable or disable Windows features and enable the feature Remote server administration tools -> Feature administration tools -> Bitlocker Recovery Password Viewer.

regsvr32.exe bdeaducext.dll

The tab Bitlocker Recovery must now appear in the properties of each BitLocker enabled host.