How to store MS BitLocker recovery keys in Active Directory [KES for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

If you want to store FDE encryption keys in Active Directory, this is possible if BitLocker encryption is used. 

In order to transfer and store the recovery passwords (keys) in Active Directory, it is necessary to:

1. Enable the “Choose how BitLocker-protected operating system drives can be recovered” group policy https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-rec1 for target computers and configure saving BitLocker recovery information to Active Directory Domain Services there. Here is the target policy in the gpedit.msc snap-in on the computer where encryption is planned to be enabled:

2. Install ‘BitLocker Recovery Password Viewer’ feature on the computer with the AD DS Domain Service running:

This functionality does not apply to Kaspersky products by design, but in theory it can be used in parallel with MS BitLocker Drive Encryption technology deployed by means of KES BitLocker management (i.e. through Kaspersky product).

In this case, after encryption starts the recovery data will be transferred and stored both in AD and on the KSC server.

We highly do not recommend applying any settings via the BitLocker (GPO) policies (the recommended configuration is "Not configured" for all policies located in the [Computer configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption] node and below), because they can prevent from deploying bitlocker related settings through Kaspersky product policy. It will lead to an error in applying BitLocker Drive Encryption ‘Encrypt all hard drives’ policy and the inability to encrypt the disk as a result.