asked on BitLocker Recovery Information not backing up to AD DS
I am not able to get BitLocker recovery information to back up to Active Directory. My understanding is that the BitLocker and TPM recovery information should show up in the BitLocker Recovery tab of the computer object in AD, but it isn't. Here is what I've done:
- Set up a GPO with the following:
Computer/Policies/Administ
Computer/Policies/Administ
Computer/Policies/Administ
Allow Data recovery agent: Enabled
Configure user storage of BitLocker recovery information: Allow 48-digit recovery password, Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard: Disabled
Save Bitlocker recovery information to AD DS for operating system drives: Enabled
Configure Storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: Disabled
Computer/Policies/Administ
Allow Bitlocker without a compatible TPM: enabled
Settings for computers with a TPM:
Configure TPM startup: allow TPM
Configure TPM startup pin: Allow startup PIN with TPM
COnfigure TPM startup key: allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM
- Set AD permissions to give SELF Write msTPM-OwnerInformation and Write msTPM-TpmInformationForCom
We are running 2012 R2 DCs running at 2012 R2 domain and forest functional levels, so my understanding is there aren't any required schema extensions. The computer is running Windows 8.1 Pro. I have verified that the computer is applying the GPO and I have double-checked that these permissions are applying to my test machine, but still no recovery information in AD. I have decrypted and encrypted the machine multiple times. What am I doing wrong?
- Set up a GPO with the following:
Computer/Policies/Administ
Computer/Policies/Administ
Computer/Policies/Administ
Allow Data recovery agent: Enabled
Configure user storage of BitLocker recovery information: Allow 48-digit recovery password, Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard: Disabled
Save Bitlocker recovery information to AD DS for operating system drives: Enabled
Configure Storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: Disabled
Computer/Policies/Administ
Allow Bitlocker without a compatible TPM: enabled
Settings for computers with a TPM:
Configure TPM startup: allow TPM
Configure TPM startup pin: Allow startup PIN with TPM
COnfigure TPM startup key: allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM
- Set AD permissions to give SELF Write msTPM-OwnerInformation and Write msTPM-TpmInformationForCom
We are running 2012 R2 DCs running at 2012 R2 domain and forest functional levels, so my understanding is there aren't any required schema extensions. The computer is running Windows 8.1 Pro. I have verified that the computer is applying the GPO and I have double-checked that these permissions are applying to my test machine, but still no recovery information in AD. I have decrypted and encrypted the machine multiple times. What am I doing wrong?
EncryptionWindows 8Active Directory
Last Comment
ejscn
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks, McKnife. That was right. I was using gpresult to check to see if the policy applied, and it did, but with errors. rsop.msc showed that there were errors modifying the registry. Since this was just a test PC, I formatted it, which resolved the issue. Thank you for your help!