manage-bde -protectors -get C: manage-bde -protectors -adbackup C: -id GUID Or backup all protectors:
1. Executive Summary BitLocker Drive Encryption (Windows) can automatically escrow its recovery passwords and key packages to Active Directory (AD) . This provides a centralized, auditable, and secure backup mechanism, preventing data loss if a user forgets their PIN/password or if TPM hardware changes. This report covers how it works, requirements, verification steps, and security considerations. 2. How BitLocker Key Escrow to AD Works When BitLocker is enabled on a domain-joined computer, the BitLocker Drive Encryption Administration Utility ( manage-bde ) or Group Policy can force the computer to back up recovery information to AD. bitlocker key active directory