Like most other posts in this blog, this is pieced together to make sense to me.
Especially in older domains, verify that the AD schema has the appropriate attributes using PowerShell window as administrator:
Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {name -like 'ms-FVE-*'}
On a domain controller, install the BitLocker Feature to display the BitLocker recovery information:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
To see the BitLocker tab containing the BitLocker recovery key from an admin workstation, the RSAT “BitLocker Drive Encryption Administration Utilities” needs to be installed on the workstation.
GPO Settings
On a domain controller: Server Manger>Tools>Group Policy Management
Edit the following:
Computer Configuration>Policies>Administrative Templates>Windows Components>BitLocker Drive Encryption
"Store BitLocker recovery information in Active Directory":
Select "Enabled"
Check "Require BitLocker backup to AD DS"
Select "Recovery passwords and key packages"
NOTE – At the bottom of the GPO “Help” it states that the TPM information also needs to be backed up. This, however, no longer appears to be the case after Windows 10 version 1607.
"Choose how users can recover BitLocker-protected drives":
Select "Enabled"
Select “Operating System Drives”
"Choose how BitLocker-protected operating system drives can be recovered":
Select "Enabled"
Check "Save BitLocker recovery information to AD DS for operating system drives"
Select "Store Recovery passwords and key packages"
Check "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives"
Select “Fixed Data Drives”
"Choose how BitLocker-protected fixed data drives can be recovered":
Select "Enabled"
Check "Save BitLocker recovery information to AD DS for fixed data drives"
Select "Backup recovery passwords and key packages"
Check "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives"