Bitlocker Group Policies - Store Recovery Keys in AD

Below are some screenshots for configuring Bitlocker in both TPM Only and TPM+PIN modes. These policies will also automatically store Recovery Keys in Active Directory in the Bitlocker Recovery tab in Active Directory Users and Computers (ADUC). If you are configuring AD to store Bitlocker recovery keys reference the link in the "Additional Resources" section about verifying your AD schema version.

The policy Interactive Logon: Machine account lockout threshold is set at 10 failed logons and then the machine should reboot into Bitlocker Recovery mode. This helps prevent a brute force attack of the Windows login screen and is definitely a good idea especially when using TPM Only. 

Delegating the Right to View Bitlocker Recovery Keys

You can delegate the right to view Bitlocker recovery keys on a particular OU by giving full control of msFVE-RecoveryInformation objects to a user or group of your choice. Domain Admins are the only group that can view these recovery keys by default. 


Note: To view the Bitlocker Recovery tab in ADUC on Windows 7 you may need to add that feature in appwiz.cpl, but it should be viewable on Windows 10 as soon as the GPO is applied. 

Additional Resources

http://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/