Backing up BitLocker Recovery Passwords to AD
Windows Server 2003 domain, Windows 7 Enterprise clients (both 32 and 64 bit). Have followed the steps here: http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx Have confirmed the schema extension has been applied (class msFVE-RecoveryInformation and attribute msTPM-OwnerInformation all exist) Have confirmed the SELF user has write permission at the domain root level to msTPM-OwnerInformation and that the permission is inherited by my sample target clients Have created, and confirmed via gpresult and rsop.msc that it has applied, a GPO to Require BitLocker backup to AD (Recovery passwords and key package) Running the sample script Get-TPMOwnerInfo.vbs DOES return the msTPM-OwnerInformation hash successfully Running the sample script Get-BitLockerRecoveryInfo.vbs on the other hand does NOT return any info! Also, under the computer object's Bitlocker Recovery tab, there is no results found. I've tested and confirmed this same behaviour on multiple machines. BitLocker is being enabled using manage-bde and the recovery password protector has been added after encryption is turned on (manage-bde -protectors -add -RecoveryPassword <drive>) Any asisstance or suggestions is appreciated. Thanks!
May 5th, 2011 1:49am

BitLocker Recovery Information is backed up in AD by configuring GPO. Follow these blogs which will help you. GPO for Win 2003 servers http://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspx GPO for Win 2008 R2 servers http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx Script to escrow key to AD after bitlocker is turned ON http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx - Hope this helps you. - Manoj (MSFT)Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2011 8:55pm

Thanks Manoj, that last article did assist in helping me towards a solution. When first running manage-bde -protectors -adbackup c: -id <numerical-id> I was getting a group policy permission denied error which matched the situation in this thread: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2db92303-3430-4627-a264-196b8b5636d0/ I initially tried setting the necessary GPO options via local policy which worked, but I have Windows Server 2003 domain controllers and even trying to set group policy on a Windows 7 machine with RSAT installed, the Windows 7 group policy options are not available (i.e. the Fixed Data drive, Operating System drive, etc options) they are only available in the ADMX templates which Windows 2003 can't read. Also, it turns out that the backup to AD registry settings that get applied have changed from Vista to 7. In Vista the policy created keys called ActiveDirectoryBackup, ActiveDirectoryInfoToStore and RequireActiveDirectoryBackup. Windows 7 does not honor these as they are now on a drive type basis. So, I created in my GPO Extra Registry Settings as follows OSActiveDirectoryBackup, OSActiveDirectoryInfoToStore and OSRequireActiveDirectoryBackup (because I am encrypting the OS drive in this case), and it works fine now. These registry settings should be created in HKLM\SOFTWARE\Policies\Microsoft\FVE Hope this helps others.
May 8th, 2011 11:41pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics