Bitlocker self-service


  •  Has anyone seen / heard of a tool where someone could go to their own company website (secure intranet portal) and retrieve their 48 numbers for Bitlocker if required? I know there would have to be a AD enabled "impersonation" of a AD Admin to make it work but it is doable, similiar to any self-service password recovery / reset tool for AD. This a little trickier for sure but since we store all Bitlocker enabled laptop's keys in the AD, they are listed so in theory doable yes?

     I ask as we have on rare ocasion for some reason or another have someone who ends up needing this number due to some kind of odd update or hard shutodwn, un-dock scenario. We either give them all a card with this number or design a site where they can use a phone or friends PC to log in and get the number.

    Until later .... Brett

    • 已編輯 Poomba1 2012年2月17日 下午 07:17
    2012年2月17日 下午 07:15





    There is a feature which is contained in the Remote Server Administration Tools (RSAT) may almost meet your goal.

    Please refer to: BitLocker Recovery Password Viewer for Active Directory and How to use the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool to view recovery passwords for Windows Vista

    But please understand that to use this tool to retrieve BitLocker Drive Encryption passwords, you must use an account that has sufficient rights. You must be a domain administrator, or you must be granted sufficient rights by a domain administrator.



    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    TechNet Community Support

    2012年2月20日 上午 05:56
  •  Yes, I was assuming those tools would be "part" of the solution, though I was wondering if an APP or some ".Net
    code" would allow a "Domain User" via Web page to request the key code (after successfulauthentication), then have some ".Net code" run an impersonate scheme against the AD with that Remote Admin tool to retrieve the key and render it up on a web page. Similar to how a 3rd party self-serve password reset / recovery tool works for the AD.

    Until later .... Brett

    2012年2月20日 上午 06:26
  • Take a look at MBAM (official Microsoft tool that is included in MDOP) which provides you with a web portal which you or your users can use to get the recovery key. More about this at

    Blogging about Windows for IT pros at

    • 已標示為解答 Poomba1 2012年2月20日 下午 06:40
    • 已取消標示為解答 Poomba1 2012年2月20日 下午 06:40
    • 已標示為解答 Poomba1 2012年2月20日 下午 06:46
    2012年2月20日 下午 06:31
  •  That is the closest to what I need for sure, I am not sure if the granularity is there, I wouldn't want to add Domain Users to be Help Desk users but pehaps I can tweak the MBAM to facilitate this. This would be good for a place with a 24/7 HelkDesk, for us we need to have it self service as we don't run 24/7. To many issues (un-docking improperly, some updates + a hibernate / battery drain) trigger the need to enter this 48 numerical lkey code. Thanks.

    Until later .... Brett

    • 已編輯 Poomba1 2012年2月20日 下午 06:46
    2012年2月20日 下午 06:46