The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: For more information, see BitLocker Group Policy settings. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting Choose how BitLocker-protected operating system drives can be recovered located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Local Group Policy Editor. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed.
If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.Ī domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.ĭata recovery agents can use their credentials to unlock the drive. If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. The user can supply the recovery password. In a recovery scenario, the following options to restore access to the drive are available: What is BitLocker recovery?īitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. This article doesn't detail how to configure AD DS to store the BitLocker recovery information. This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment. Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. This article describes how to recover BitLocker keys from AD DS.