Solved

Storing Bitlocker recovery information in AD

Posted on 2010-08-13
4
2,509 Views
Last Modified: 2013-11-29
Hello,
I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.

I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".

The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).

In server 2008 the required shemas are already availale but i double checked an could find all required entreis.

             CN= ms-FVE-KeyPackage – attributeSchema object
             CN=ms-FVE-RecoveryGuid – attributeSchema object
             CN=ms-FVE-RecoveryInformation – classSchema object
             CN=ms-FVE-RecoveryPassword – attributeSchema object
             CN=ms-FVE-VolumeGuid – attributeSchema object
             CN=ms-TPM-OwnerInformation – attributeSchema object

Then the required ACE was installed sucessfully.

After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:

Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)

Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.

I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).

Then i activated the TPM / or changed PWD if it was alread active.

I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:

I then used Get-BitlockerRecoveryInfo.vbs to see if recovery and TPM is sotred to ad. It only shows the compute object but now recovery information.

I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."

Did I miss something?





0
Comment
Question by:img-admin
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:Vikas Shah
Comment Utility
0
 

Author Comment

by:img-admin
Comment Utility
Ah ok, i cann see that this attribute is completely missing also in the domain root.
So the best way is to import the shema manually despite of running 2008 R2.
0
 
LVL 6

Expert Comment

by:Vikas Shah
Comment Utility
Yep,

Do that and Let me know if you still experience any issues further.

Awaiting Reply,

Regards,
Vikas
0
 

Accepted Solution

by:
img-admin earned 0 total points
Comment Utility
Hi. The problem was that the setting for "Fixed Data Drives" -> "Choose hwo Bitlocker-proteted fixed drives can be recoverd" wasn't set. There you can endalbe "Save Bitlocker recovery information to AD DS for fixed data drives".

The reason I couldn't see the attributes was that my admin account has delegated right to specific ous only.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now