img-admin
asked on
Storing Bitlocker recovery information in AD
Hello,
I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.
I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".
The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).
In server 2008 the required shemas are already availale but i double checked an could find all required entreis.
CN= ms-FVE-KeyPackage – attributeSchema object
CN=ms-FVE-RecoveryGuid – attributeSchema object
CN=ms-FVE-RecoveryInformat ion – classSchema object
CN=ms-FVE-RecoveryPassword – attributeSchema object
CN=ms-FVE-VolumeGuid – attributeSchema object
CN=ms-TPM-OwnerInformation – attributeSchema object
Then the required ACE was installed sucessfully.
After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:
Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)
Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.
I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).
Then i activated the TPM / or changed PWD if it was alread active.
I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:
I then used Get-BitlockerRecoveryInfo. vbs to see if recovery and TPM is sotred to ad. It only shows the compute object but now recovery information.
I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."
Did I miss something?
I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.
I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".
The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).
In server 2008 the required shemas are already availale but i double checked an could find all required entreis.
CN= ms-FVE-KeyPackage – attributeSchema object
CN=ms-FVE-RecoveryGuid – attributeSchema object
CN=ms-FVE-RecoveryInformat
CN=ms-FVE-RecoveryPassword
CN=ms-FVE-VolumeGuid – attributeSchema object
CN=ms-TPM-OwnerInformation
Then the required ACE was installed sucessfully.
After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:
Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)
Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.
I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).
Then i activated the TPM / or changed PWD if it was alread active.
I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:
I then used Get-BitlockerRecoveryInfo.
I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."
Did I miss something?
ASKER
Ah ok, i cann see that this attribute is completely missing also in the domain root.
So the best way is to import the shema manually despite of running 2008 R2.
So the best way is to import the shema manually despite of running 2008 R2.
Yep,
Do that and Let me know if you still experience any issues further.
Awaiting Reply,
Regards,
Vikas
Do that and Let me know if you still experience any issues further.
Awaiting Reply,
Regards,
Vikas
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out the link mentioned below:
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/84e64078-f5b0-437e-8733-c61e2f912252
Regards,
Vikas