2

We have several Windows 10 laptops (Win10 Enterprise, most running Build 1803, here in our main office and in multiple co-locations. We are implementing BitLocker company-wide and we have a GPO that enables and (should) save the BitLocker key to Active Directory. However, for some machines it has not been saving the key. I think this is only happening on machines that were already using BitLocker because each test I've done on a new machine where the GPO enables BL it also saves the key (I've yet to see it fail even once).

For existing machines that are using BitLocker but do not have their key saved in AD, I have been running this simple PowerShell command/script, either in a PSRemoting session, or via Invoke-Command {block} 

$keyID = Get-BitLockerVolume -MountPoint c: | select -ExpandProperty keyprotector | 
            where {$_.KeyProtectorType -eq 'RecoveryPassword'}
Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.KeyProtectorId

However, I am trying to run this against a few machines and getting this error:

Backup-BitLockerKeyProtector : The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed. (Exception from HRESULT: 0x8031000A) At line:1 char:1 + Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.Ke ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Backup-BitLockerKeyProtector

I am one of the Domain Admins. I've read that this is an issue with Win10 Build 1803 here and here. However, both links just mention enabling BitLocker, not necessarily saving the BL keys to ADDS retroactively. Any help appreciated.

KidACrimson
  • 330
  • 1
  • 10
  • 26
  • Actually there are both recovery keys and recovery numerical passwords. You're backing up the recovery password. Most people use recovery passwords (I've never seen anyone use a recovery key, and most people don't know how to do so from AD), so any group policies you have for BitLocker should specify "Store recovery passwords only". Do you get the same error using manage-bde.exe? – Greg Askew Nov 02 '18 at 19:39
  • 1
    Unfortunately, BitLocker recovery information is not synchronized with the AD computer object. It is only written to AD at the moment BitLocker is turned on or a new recovery password is generated. You can try your luck with manage-bde instead: https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/ – twconnell Nov 02 '18 at 22:02

0 Answers0