Accessing BitLocker Recovery Keys in Active Directory

For years, admins have had the ability to store user certificates in Active Directory to help with things like EFS file encryption. One of the more recent technologies from Microsoft is BitLocker Drive Encryption.

To be able to archive the keys to Active Directory instead of storing the keys manually to USB, you need to extend the schema which forms part of the deployment of BitLocker, but when trying to manage BitLocker on-going, you need to be able to access the keys which have been saved.

These keys can be found stored in the Computer objects in Active Directory Users and Computers on a Windows 7 computer with the RSAT (Remote Server Administration Tools) once the BitLocker Password Recovery Viewer feature is enabled.

The problem you will sooner discover is that this in itself isn’t enough to give you access to the new tab in ADUC to see the keys, because the DLL file isn’t registered to allow it to work. To obtain the functionality that you want, you need to enter the command regsvr32 bdeaducext.dll to register the DLL.

Restart ADUC, and you will now have a new tab available on your computer objects for BitLocker Recovery.

richardjgreen

Richard works as a Cloud Consultant for Fordway Solution where his primary focus is to help customers understand, adopt and develop with Microsoft Azure, Office 365 and System Center. Richard Green is an IT Pro with over 15 years' of experience in all things Microsoft including System Center and Office 365. He has previously worked as a System Center consultant and as an internal solutions architect across many verticals. Outside of work, he loves motorbikes and is part of the orange army, marshaling for NGRRC, British Superbikes and MotoGP. He is also an Assistant Cub Scout Leader.