Solved

Storing Bitlocker recovery information in AD

Posted on 2010-08-13
4
2,685 Views
Last Modified: 2013-11-29
Hello,
I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.

I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".

The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).

In server 2008 the required shemas are already availale but i double checked an could find all required entreis.

             CN= ms-FVE-KeyPackage – attributeSchema object
             CN=ms-FVE-RecoveryGuid – attributeSchema object
             CN=ms-FVE-RecoveryInformation – classSchema object
             CN=ms-FVE-RecoveryPassword – attributeSchema object
             CN=ms-FVE-VolumeGuid – attributeSchema object
             CN=ms-TPM-OwnerInformation – attributeSchema object

Then the required ACE was installed sucessfully.

After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:

Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)

Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.

I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).

Then i activated the TPM / or changed PWD if it was alread active.

I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:

I then used Get-BitlockerRecoveryInfo.vbs to see if recovery and TPM is sotred to ad. It only shows the compute object but now recovery information.

I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."

Did I miss something?





0
Comment
Question by:img-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:Vikas Shah
ID: 33428100
0
 

Author Comment

by:img-admin
ID: 33428572
Ah ok, i cann see that this attribute is completely missing also in the domain root.
So the best way is to import the shema manually despite of running 2008 R2.
0
 
LVL 6

Expert Comment

by:Vikas Shah
ID: 33435331
Yep,

Do that and Let me know if you still experience any issues further.

Awaiting Reply,

Regards,
Vikas
0
 

Accepted Solution

by:
img-admin earned 0 total points
ID: 33465282
Hi. The problem was that the setting for "Fixed Data Drives" -> "Choose hwo Bitlocker-proteted fixed drives can be recoverd" wasn't set. There you can endalbe "Save Bitlocker recovery information to AD DS for fixed data drives".

The reason I couldn't see the attributes was that my admin account has delegated right to specific ous only.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question