BitLocker Recovery Information not backing up to AD DS

I am not able to get BitLocker recovery information to back up to Active Directory.  My understanding is that the BitLocker and TPM recovery information should show up in the BitLocker Recovery tab of the computer object in AD, but it isn't.  Here is what I've done:

- Set up a GPO with the following:
      Computer/Policies/Administrative Templates/System/Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services - enabled
      Computer/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption: Store BitLocker recovery information in Active Directory Domain Services (Server 2008 and Vista)
      Computer/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives: Choose how BitLocker-protected system Drives can be recovered
            Allow Data recovery agent: Enabled
            Configure user storage of BitLocker recovery information:  Allow 48-digit recovery password, Allow 256-bit recovery key
            Omit recovery options from the BitLocker setup wizard: Disabled
            Save Bitlocker recovery information to AD DS for operating system drives: Enabled
            Configure Storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
            Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: Disabled
      Computer/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives: Require Additional authentication at Startup: Enabled
            Allow Bitlocker without a compatible TPM: enabled
            Settings for computers with a TPM:
                  Configure TPM startup: allow TPM
                  Configure TPM startup pin: Allow startup PIN with TPM
                  COnfigure TPM startup key: allow startup key with TPM
                  Configure TPM startup key and PIN: Allow startup key and PIN with TPM

- Set AD permissions to give SELF Write msTPM-OwnerInformation and Write msTPM-TpmInformationForComputer per https://technet.microsoft.com/en-us/library/jj592683.aspx

We are running 2012 R2 DCs running  at 2012 R2 domain and forest functional levels, so my understanding is there aren't any required schema extensions.  The computer is running Windows 8.1 Pro.  I have verified that the computer is applying the GPO and I have double-checked that these permissions are applying to my test machine, but still no recovery information in AD.  I have decrypted and encrypted the machine multiple times.  What am I doing wrong?
ejscnITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
You should check that the GPO applied. Start rsop.msc at the client, and navigate to that sections you quoted. Or is it simply that you don't know where to find the recovery information?
The info will only be backed up if the GPO applies before you encrypt, not afterwards.
Afterwards, you can use the command line to save it:
manage-bde -protectors c: -id...
as shown here: https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ejscnITAuthor Commented:
Thanks, McKnife.  That was right.  I was using gpresult to check to see if the policy applied, and it did, but with errors.  rsop.msc showed that there were errors modifying the registry.  Since this was just a test PC, I formatted it, which resolved the issue.  Thank you for your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.