question

RoccoDipaolo-7790 avatar image
0 Votes"
RoccoDipaolo-7790 asked ·

How to retrieve forgotten Bitlocker Pin from AD

Looking on some feedback as to how to Setup Bitlocker in a GPO so that I can reset or relay a forgotten pin from AD to a client without touching their workstation.

windows-server
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered ·

This one may help.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/bitlocker-recovery-password-viewer-tool

--please don't forget to Accept as answer if the reply is helpful--


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Right. I can unlock the users computer by relating the recovery key to them that I retrieve from AD however how do I relay to them what their Pin is once I get them in? They only have user rights so they will not be able to go into the Control panel of their workstation and reset the Pin. How can this be done from AD?

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered ·

Yes, save BitLocker Recovery Keys in Active Directory is a command way for system admin to manage BitLocker recovery key or other information when user forget them.
The following type of information is stored in AD DS
Hash of the TPM owner password
BitLocker recovery password
BitLocker key package
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-type-of-information-is-stored-in-ad-ds

Please refer to this guide to configure GPO
Store and Retrieve BitLocker Recovery Keys from Active Directory
https://4sysops.com/archives/store-and-retrieve-bitlocker-recovery-keys-from-active-directory/


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ok I can unlock the users computer by relating the recovery key to them that I retrieve from AD however how do I relay to them what their Pin is once I get them in? They only have user rights so they will not be able to go into the Control panel of their workstation and reset the Pin. How can this be done from AD?

0 Votes 0 ·

Enable BitLocker must need Admin permission, if your users only have standard user permission on computer, you need to enable BitLocker one by one for them.

0 Votes 0 ·

You could try Configure, enable and deploy Bitlocker via Group Policies
https://tomvanveen.eu/configure-enable-and-deploy-bitlocker-via-group-policies/

0 Votes 0 ·