This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 93%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Looking on some feedback as to how to Setup Bitlocker in a GPO so that I can reset or relay a forgotten pin from AD to a client without touching their workstation.
This one may help.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/bitlocker-recovery-password-viewer-tool
--please don't forget to Accept as answer if the reply is helpful--
Right. I can unlock the users computer by relating the recovery key to them that I retrieve from AD however how do I relay to them what their Pin is once I get them in? They only have user rights so they will not be able to go into the Control panel of their workstation and reset the Pin. How can this be done from AD?
Yes, save BitLocker Recovery Keys in Active Directory is a command way for system admin to manage BitLocker recovery key or other information when user forget them.
The following type of information is stored in AD DS
Hash of the TPM owner password
BitLocker recovery password
BitLocker key package
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-type-of-information-is-stored-in-ad-ds
Please refer to this guide to configure GPO
Store and Retrieve BitLocker Recovery Keys from Active Directory
https://4sysops.com/archives/store-and-retrieve-bitlocker-recovery-keys-from-active-directory/
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Ok I can unlock the users computer by relating the recovery key to them that I retrieve from AD however how do I relay to them what their Pin is once I get them in? They only have user rights so they will not be able to go into the Control panel of their workstation and reset the Pin. How can this be done from AD?
Enable BitLocker must need Admin permission, if your users only have standard user permission on computer, you need to enable BitLocker one by one for them.
You could try Configure, enable and deploy Bitlocker via Group Policies
https://tomvanveen.eu/configure-enable-and-deploy-bitlocker-via-group-policies/