Darrin Crawford
asked on
How exactly does Bit Locker function on a Domain Controller as regard to linking with Active Directory as a fail over?
Bit Locker - Domain Controller
Is it possible to link this to active directory.
So that if a User activates Bit Locker - the password appears in AD - to ensure access if User forgets.
Also how does this work - if a User already has Bit Locker activated on their device.
And finally - is it possible to have this for a selected group - ie. there are some Users who have other encryption products on their devices whom we dont want to touch.
Is it possible to link this to active directory.
So that if a User activates Bit Locker - the password appears in AD - to ensure access if User forgets.
Also how does this work - if a User already has Bit Locker activated on their device.
And finally - is it possible to have this for a selected group - ie. there are some Users who have other encryption products on their devices whom we dont want to touch.
ASKER
Thanks - how can these be backed up via a deployable task?
I am on the road. Google finds instructions on deploying immediate tasks: https://www.google.de/url?q=https://4sysops.com/archives/run-powershell-scripts-as-immediate-scheduled-tasks-with-group-policy/&sa=U&ved=0ahUKEwj6gNOtt9vcAhUCr6QKHYILB5UQFggLMAA&usg=AOvVaw12V9Ldyhu48f80rH6W4Jkl
Command will be executed by the system account and is, if memory serves:
Command will be executed by the system account and is, if memory serves:
Manage-bde -protectors -adbackup c:
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
many thanks
Be aware that the same command can be used with any drive letter in case there's more than just c: around. It wouldn't hurt if you set this up for any possible letter.
You set a GPO so that BL will backup the recovery key to AD.
On machines without BL, this has no effect.
On machines with BL already active, this has also no effect, so on those, the key will need to be backed up manually via a deployable scheduled task command. Details available if needed.