asked on

How to save the recovery key in AD through MDT 2008

Bitlocker activation in the MDT 2008 task sequence works great! In the lite touch deployment you can check the box that will tell it to save the recovery key in AD. When the task sequence is complete and drive encryption is complete, for some reason the key is not getting stored in AD. Why isn't the lite touch deployment storing the key in AD for me? I have verified the laptop IS in the domain while the encryption is occuring. Any thoughts?
Even though i set the value in customsettings.ini file, nothing is getting refelected in the Enbale bitlocker wizard. Below are the values set in the INI file;

SkipBitLocker=NO
BDEInstallSuppress=NO
BDEDriveLetter=Q:
BDEInstall=TPM
BDERecoveryKey=AD
BDEWaitForEncryption=TRUE

Kelvin_King

I have had the problem as well when setting up key escrow for BitLocker.

I'm not sure if it's the same problem, but for me it was because BitLocker requires that you extend the schema in the AD.

I can't remember the exact steps I did, but this is the documentation which I followed

http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&displaylang=en

Hope it helps you
-Kelvin

Kelvin_King

I found this useful as well
http://technet.microsoft.com/en-us/library/cc766015.aspx

There are some scripts which you need to run to extend the AD schema.

And even then, I remembered that the scripts were written wrongly. I had to contact the BitLocker technical support team, send them the script and had them correct it for me.

I hope times have changed....

-Kelvin

ASKER CERTIFIED SOLUTION

Kelvin_King

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Kelvin_King

Did the information help you?