2

cmd illustration

I have a device that needs to have its' bitlocker recovery backup up to AD for visibility in the "Bitlocker Recovery" tab of the object in Active Directory.

I found that the device only had a TPM protector. So I added a Numerical Password. I want to backup this numerical password to AD.

I run manage-bde protectors c: -adbackup -ID '{my-id-goes-here}'. Windows replies with: Recovery information was successfully backed up to Active Directory.

I pull up ADUC, find the device, look at it's 'Bitlocker Recovery' tab only to find that there is nothing here.

ADUC

I also tried:

$BLV = Get-BitLockerVolume -MountPoint "C:" Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

getting a 0 exit code, but nothing published to AD. Is there something I'm missing here?

There only difference I see between machines that CAN Have it pushed to AD this way and this device is the 'Conversion Status' field:

a machine that works is 'Fully-Encrypted' instead of 'Only Used Space'

a machine that works is 'Fully-Encrypted' instead of 'Only Used Space'

A machine that works is 'Fully-Encrypted' instead of 'Only Used Space'.

How can I get this password backed up to AD?

beansbeans
  • 71
  • 1
  • 8
  • 2
    Have you gone back and double-checked the AD object since originally checking it? Due to replication, there might be some delay before the change becomes visible. – Harry Johnston Dec 15 '18 at 02:05
  • It's pretty instantaneous for most machines, but you might be onto something. I will reply back in short time. – beansbeans Dec 19 '18 at 18:37

2 Answers2

2

"Numerical Password" is not what is backed up to AD. You need to add a "Recovery Key", like this:

Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector
longneck
  • 23,082
  • 4
  • 52
  • 86
  • If you look at the first image attached to the post, you'll see that ```Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector``` is exactly what I'm using. This exact method is working for other devices, backing up their Recovery Key to AD. – beansbeans Dec 14 '18 at 21:17
  • Are you sure this PC is getting the correct group policy? If the Local Policy set and overwriting the Group Policy? – longneck Dec 15 '18 at 01:52
1

This turned out to be an issue with replication, not Bitlocker.

Bitlocker Recovery keys tab for some devices in AD were updated instantly. Others did not.

It seems that some devices just took more time for the key to appear. I just tested with one device that wound up taking about 20 minutes to reflect changes in AD.

Anticlimactic, yes. Thank you to everyone who had some input to give on the issue.

beansbeans
  • 71
  • 1
  • 8
  • 1
    It just depends on whether the backup chooses to use the same Domain Controller that Active Directory Users & Computers is connected to. If they are the same, you'll see the change instantly. If not, you won't see it until it replicates. Twenty minutes is a bit longer than I'd expect, but even that might be normal if the DCs are in different AD sites. – Harry Johnston Dec 19 '18 at 20:16
  • When you mentioned that in the comments on the question, I realized that this would explain a few other issues that we were bumping into, **and you were absolutely right**. Sent the request to look into the replication issue up to those who manage the infrastructure. – beansbeans Dec 19 '18 at 20:38