Domain Functional Level - 2008 Four Domain Servers - Windows 2008 Fully SP and updated. R1, not R2. Installed the Bitlocker View Password application on all DC's Can see the bitlocker tab on ADUC. In Default Domain Group Policy, I set the Enable Backup of Bitlocker keys to AD. Within that setting, I have it st to Require Bitlocker backup to AD DS. Problem is, I can turn on Bitlocker by saving key to thumb drive. I have verified in ADSIEDIT that the bitlocker containers are present. I have verified with group policy that the computer has this GPO. Any help would be appreciated. Thanks.

Could you rephrase the problem you are having is it that you do not get the option to save key to thumb drive Thanks Ram

Thanks for the response. YEah, I wasnt very clear. I appologize. My goal is to prevent my users, though group policy, from turning Bitlocker on if the recovery passwords are not backed up to Active Directory. However, with in the Bitlocker section of computer components in Group Policy, I have enabled the Store Bitlocker in AD. Within the Fixed drives, I have enabled the Do Not Enable Bitlocker until Recover info is stored in AD DS (This was within Choose How Bitlocker protected fixed drives can be recovered). From within Operating System Drives, I have enabled Choose how Bitlocker protected operating system drives can be recovered. From within that, I have selected Do Not Enable Bitlocker until Recover info is stored in AD DS from here as well. After selectig these GPO to an OU that contains my computer, I can disconnect from network and still turn Bitlocker on.

Hi StanLan, I'm a little confused about your question. The backup recovery passwords can be stored in AD only after the BitLocker is turned on in Windows 7. This is by design behavior. Please refer to the steps here: http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx Regards, MiyaThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Stan, On client machine use gpresult or rsop to verify if GPOs are applied or not. Once you verify that correct GPOs are applied, then take machine off the network and try to enable bitlocker. It should fail since we cannot backup recovery information to AD. Hope this helps -Manoj (MSFT)Manoj Sehgal