Store Bitlocker Recovery Password in AD with Group Policy

Under Computer Configuration, Admin Templates, Windows Components, Bitlocker Drive Encryption

Look for the following settings:

In the root folder of Bitlocker Drive Encryption:

• Store Bitlocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
  • Enabled
  • Require Bitlocker backup to AD DS, box checked
  • Select Bitlocker recovery information to store: Recovery passwords only

In the subfolder, Operating System Drives:

• Choose how Bitlocker protected operating system drives can be recovered
  • Enabled
  • All check boxes checked.
    • Be sure to check the Omit recovery options from the Bitlocker setup wizard, otherwise, you’ll be prompted on how you wish to save the recovery key even though it’s being backed up to AD.
  • Allow 48-digit recovery password
  • Allow 256-bit recovery key
  • Store recovery passwords only
• Enable use of Bitlocker authentication requiring preboot keyboard input states
  • Enabled
• Require additional authentication at startup
  • Enabled
  • Allow Bitlocker without a compatible TPM (requires a password or a startup key on a USB flash drive), box checked
  • Configure TPM Startup: Allow TPM
  • Configure TPM startup PIN: Allow startup PIN with TPM
  • Configure TPM startup key: Allow startup PIN with TPM
  • Configure TPM startup key and PIN: Allow startup key and PIN with TPM