Storing Bitlocker recovery information in AD

Hello,
I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.

I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".

The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).

In server 2008 the required shemas are already availale but i double checked an could find all required entreis.

             CN= ms-FVE-KeyPackage – attributeSchema object
             CN=ms-FVE-RecoveryGuid – attributeSchema object
             CN=ms-FVE-RecoveryInformation – classSchema object
             CN=ms-FVE-RecoveryPassword – attributeSchema object
             CN=ms-FVE-VolumeGuid – attributeSchema object
             CN=ms-TPM-OwnerInformation – attributeSchema object

Then the required ACE was installed sucessfully.

After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:

Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)

Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.

I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).

Then i activated the TPM / or changed PWD if it was alread active.

I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:

I then used Get-BitlockerRecoveryInfo.vbs to see if recovery and TPM is sotred to ad. It only shows the compute object but now recovery information.

I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."

Did I miss something?





img-adminAsked:
Who is Participating?
 
img-adminConnect With a Mentor Author Commented:
Hi. The problem was that the setting for "Fixed Data Drives" -> "Choose hwo Bitlocker-proteted fixed drives can be recoverd" wasn't set. There you can endalbe "Save Bitlocker recovery information to AD DS for fixed data drives".

The reason I couldn't see the attributes was that my admin account has delegated right to specific ous only.
0
 
Vikas ShahCurrently Seeking OpportunitiesCommented:
0
 
img-adminAuthor Commented:
Ah ok, i cann see that this attribute is completely missing also in the domain root.
So the best way is to import the shema manually despite of running 2008 R2.
0
 
Vikas ShahCurrently Seeking OpportunitiesCommented:
Yep,

Do that and Let me know if you still experience any issues further.

Awaiting Reply,

Regards,
Vikas
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.