My environment: 2008 R2 and Windows 7 Ultimate (Workstations are stored in an OU in a child Domain off the root domain that is fully trusted) Schema appears to be ok and I have verified the default permissions for the computer objects according to: http://technet.microsoft.com/en-us/library/cc766116(WS.10).aspx I have set the local GPO on the local workstations to save TPM and Bitlocker keys saved to AD. TPM seems to be stored after getting the Add-TPMSelfWriteACE.vbs working. All workstations are in the same OU. I added the Bitlocker viewer to AD I and executed the EnableBitlocker.vbs /on:TPM /l:c:\bitlocker.log. Bitlocker gets turned on, but the keys don't show up in AD 3 out of 5 workstations. 2 workstations - the keys are in AD and usable. the other 3 workstations Bitlocker turns on but I have know idea where the keys went. And search of the domain "Find Bitlocker keys" does not work at all even for th 2 workstations that the keys are stored and viewable. What am I doing wrong and how do I correct this? I have 400+ workstations that will need Bitlocker keys saved to AD. I have another concern is that when Bitlocker is turned on when you go to reboot the workstation freezes with a black Screen and cursor blinking and you have to hit the power button to recycle 20% of the time. I can't say for sure this is bitlocker causing it, because it has happend after disabling the bitlocker on the C: drive (is there residue from bitlocker being turned on then disabled)?