Is the BitLocker recovery information stored in plaintext in AD DS?
Yes, the recovery information is stored unencrypted in AD DS, but the entries have access control lists (ACLs) that limit access to only domain administrators. If an attacker gains full access to AD DS, all computers in the domain, including BitLocker-protected computers, can be compromised. For more information about securing access to AD DS, see Securing Active Directory Administrative Groups and Accounts (http://go.microsoft.com/fwlink/?LinkId=83266).