The rain hadn’t stopped for three days. It tapped against the data center windows like a nervous finger, matching the rhythm of Leo’s headache. He’d been on the phone with the VP of Sales for two hours—a man whose laptop had decided, at 11 PM on a Friday, that its TPM was a stranger.
Navigated to and checked the box for BitLocker Drive Encryption .
He closed his laptop, walked to his car, and drove home. The BitLocker recovery password viewer in Active Directory wasn’t just enabled now. It was ready. And next time a VP called on a Friday night, the answer would take thirty seconds, not three hours. The rain hadn’t stopped for three days
This guide provides a comprehensive walkthrough for installing the viewer and configuring the necessary policies to ensure your organization's recovery keys are safely backed up to AD. Phase 1: Install the BitLocker Recovery Password Viewer
Alex applied the GPO to an Organizational Unit (OU) and ran gpupdate /force on a test machine. To ensure a machine that was already encrypted sent its key to AD, Alex used a quick PowerShell command: Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[1].KeyProtectorId . 4. The Happy Ending: Finding the Key Now, when a user calls for help, Alex simply: Opens . Right-clicks the computer object and selects Properties . Navigated to and checked the box for BitLocker
Double-clicked. Enabled. Then checked the box that made his heart rate climb:
“I can’t get in,” the VP had whined. “Something about recovery. Just fix it.” It was ready
Note: If you want to delegate this for the whole domain, run the delegation on the root of the domain or the "Computers" OU.