Storing Bitlocker keys in Samba Active Directory
This strategy configures the storage of BitLocker decryption keys in an Active Directory domain controller, preventing unrecoverable data loss.
Open Group Policy Management on your management machine, then create a new GPO object for the computers on which you want to activate Bitlocker.
Here we will apply a GPO to the root of the domain to force Bitlocker on the operating system drive without a compatible secure encryption module (smart card,…).
Enable the policy in your GPO with
.Then enable this strategy in your GPO with
.Finally, the last necessary step in our case is to allow Bitlocker without a compatible secure encryption module. You must therefore activate the following strategy in your GPO with
.Tick Authorize Bitlocker without a compatible secure platform module.
From now on, each computer in the domain activating Bitlocker will have its key registered in AD.
To view these keys, launch Enable or disable Windows features and enable the feature
.regsvr32.exe bdeaducext.dll
The tab Bitlocker Recovery must now appear in the properties of each BitLocker enabled host.