I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.
I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".
The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).
In server 2008 the required shemas are already availale but i double checked an could find all required entreis.
CN= ms-FVE-KeyPackage – attributeSchema object
CN=ms-FVE-RecoveryGuid – attributeSchema object
CN=ms-FVE-RecoveryInformation – classSchema object
CN=ms-FVE-RecoveryPassword – attributeSchema object
CN=ms-FVE-VolumeGuid – attributeSchema object
CN=ms-TPM-OwnerInformation – attributeSchema object
Then the required ACE was installed sucessfully.
After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:
Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)
Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.
I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).
Then i activated the TPM / or changed PWD if it was alread active.
I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:
I then used Get-BitlockerRecoveryInfo.vbs to see if recovery and TPM is sotred to ad. It only shows the compute object but now recovery information.
I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."
Did I miss something?