How to Manually Store the BitLocker keys to Active Directory (AD).

If after applying a group policy to automatically store BitLocker keys in Active Directory, you find that for some computers the BitLocker recovery key and password is not stored in AD, continue reading bellow to learn how to backup BitLocker keys manually to AD.

As you may know, managing BitLocker recovery keys in a business environment can be a challenge, but fortunately, as explained in a previous guide, you can force Windows to store BitLocker recovery keys to Active Directory (AD) automatically.

However, you may find that while you have correctly followed the steps to automatically store the key in AD, some computers have not had their recovery keys and passwords stored in Active Directory.

This issue typically occurs when you have enabled BitLocker before setting the Group Policy to back up BitLocker recovery data to AD, before you joining the computer to the domain, or if the machine cannot communicate with the domain.

So, in this tutorial we show how you can manually back up the BitLocker recovery keys to Active Directory on the affected computers, without having to decrypt and encrypt them from scratch.

How to Manually Back up BitLocker Keys & Passwords to AD (Active Directory).*

* Attention: Before continuing below, please ensure that you have correctly followed the steps in this guide to configure AD to automatically back up your BitLocker keys/passwords to AD.

1. On the domain machine you want to manually backup the BitLocker recovery data on AD, login with a user with Local Admin rights.

2. Open Command Prompt as Administrator and issue the following command to view the BitLocker Recovery ID and Password.*

• manage-bde -protectors -Get C:

* Info: The above command shows the recovery data (ID & Password) on the main drive "C:"

3. From the results, highlight the Numerical Password ID* is displayed with the {} brackets, press CTRL +V and copy it in the Notepad.

* eg in this example: {71A465B0-E2BB-4091-B889-2A72DE3121C3}

4. Then, issue the below command to force Windows to backup the BitLocker recovery key (ID) and password to AD:

• manage-bde -protectors -adbackup c: -id {Numerical Password ID}

* eg in this example:

• manage-bde -protectors -adbackup c: -id {71A465B0-E2BB-4091-B889-2A72DE3121C3}

5. After the recovery information is successfully backed up to active directory, navigate to computer's properties in AD, and in the BitLocker Recovery tab you should see its Recovery ID and the Recovery Password.

That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:

• Author
• Recent Posts

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Latest posts by Konstantinos Tsoukalas (see all)

• How to Install Chrome or any 'Line of Business' app on Intune Enrolled Windows Devices. - April 29, 2026
• How to Create a DDM Update Policy for iOS Devices in Intune. - April 23, 2026
• How to back up Microsoft 365 data to a Synology NAS with Active Backup for Microsoft 365 (FREE) - April 21, 2026