Does BitLocker encrypt recovery information as it is sent to AD DS?
Yes, the transmission of recovery information from a Windows 7–based client computer to AD DS is protected by using the Kerberos authentication protocol. Specifically, the connection uses the authentication flags ADS_SECURE_AUTHENTICATION, ADS_USE_SEALING, and ADS_USE_SIGNING. For more information about Active Directory authentication flags, see ADS_AUTHENTICATION_ENUM Enumeration (http://go.microsoft.com/fwlink/?LinkId=79643).