[Win7: FAQ] How to backup recovery information in AD after Bitlocker is turned ON in Windows 7:

A common question we are asked is how do I save the recovery information for a Windows 7 machine after Bitlocker is already turned ON.


We know as best practice, AD DS should be configured before enabling BitLocker in Windows 7. If BitLocker is already enabled, recovery information for those computers will not be automatically added to AD DS when group policy is applied later.


This situation can arise when any of the following conditions are true, but is also not limited to this list:


a)    The machine is Bitlocker’ed prior to joining the Domain.

b)    The machine is not physically connected to the Network when enabling Bitlocker.

c)    When the GPO for Saving Recovery Information for Bitlocker is not setup correctly.


So when we open Active Directory Users and Computers portion of server manager you do not see msFVE-RecoveryInformation for the machine which was encrypted.


In this situation we can use manage-bde command from the client machine to save the recovery information in AD, instead of decrypting and encrypting the Operating system drive again for storing recovery information in AD.


First verify that the client machine is in the correct OU in AD where the Bitlocker group policies are applied and then follow the below steps:


Open elevated command prompt on the client computer and run the below command.


Note: You require local admin rights to run manage-bde commands.


c:> manage-bde -protectors -get c:



Bitlocker Drive Encryption: Configuration Tool version 6.1.7600

Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: [Old Win7]

All Key Protectors

    External Key:

      ID: {F12ADB2E-22D5-4420-980C-851407E9EB30}

      External Key File Name:



    Numerical Password:

      ID: {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}




    TPM And PIN:

      ID: {EBAFC4D6-D044-4AFB-84E3-26E435067AA5}


If you see results above you should see ID and Password for Numerical Password.


Now run the below command, replace id for ID of Numerical Password.


c:> manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}


Bitlocker Drive Encryption: Configuration Tool version 6.1.7600

Copyright (C) Microsoft Corporation. All rights reserved.

Recovery information was successfully backed up to Active Directory.


Now if you go to AD, and check the client computer you should see msFVE-RecoveryInformation for this client computer.


If you have any question, feel free to post in our community and we will be glad to help.

Best regards,

Tony Ma
Partner Online Technical Community
We hope you get value from our new forums platform! Tell us what you think:
This posting is provided “AS IS” with no warranties, and confers no rights.

Comments are closed.

Post Navigation