Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Storing Bitlocker recovery information in AD

Posted on 2010-08-13
4
Medium Priority
?
2,857 Views
Last Modified: 2013-11-29
Hello,
I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.

I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".

The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).

In server 2008 the required shemas are already availale but i double checked an could find all required entreis.

             CN= ms-FVE-KeyPackage – attributeSchema object
             CN=ms-FVE-RecoveryGuid – attributeSchema object
             CN=ms-FVE-RecoveryInformation – classSchema object
             CN=ms-FVE-RecoveryPassword – attributeSchema object
             CN=ms-FVE-VolumeGuid – attributeSchema object
             CN=ms-TPM-OwnerInformation – attributeSchema object

Then the required ACE was installed sucessfully.

After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:

Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)

Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.

I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).

Then i activated the TPM / or changed PWD if it was alread active.

I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:

I then used Get-BitlockerRecoveryInfo.vbs to see if recovery and TPM is sotred to ad. It only shows the compute object but now recovery information.

I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."

Did I miss something?





0
Comment
Question by:img-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:Vikas Shah
ID: 33428100
0
 

Author Comment

by:img-admin
ID: 33428572
Ah ok, i cann see that this attribute is completely missing also in the domain root.
So the best way is to import the shema manually despite of running 2008 R2.
0
 
LVL 6

Expert Comment

by:Vikas Shah
ID: 33435331
Yep,

Do that and Let me know if you still experience any issues further.

Awaiting Reply,

Regards,
Vikas
0
 

Accepted Solution

by:
img-admin earned 0 total points
ID: 33465282
Hi. The problem was that the setting for "Fixed Data Drives" -> "Choose hwo Bitlocker-proteted fixed drives can be recoverd" wasn't set. There you can endalbe "Save Bitlocker recovery information to AD DS for fixed data drives".

The reason I couldn't see the attributes was that my admin account has delegated right to specific ous only.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question