Hi,
I have started to implement BitLocker to laptops in my organisation starting with a few test machines.
I configured a GPO and applied it to my 'test laptops' OU configured with the following settings:
Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption
- Turn on BitLocker Backups to Active Directory Domain Services (also ticked 'Require BitLocker backup to ADDS')
Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Module Services
- Turn on TPM Backup to Active Directory Domain Services (also ticked 'Require TPM backup to ADDS')
I then ran a gpupdate /force on my test machine, rebooted for good measure and then tried manually backing up the BitLocker/TPM data to ADDS using the following commands
manage-bde -protectors -get c:
Volume C: []
All Key Protectors
TPM:
ID: {C15C7DBE-956D-4F48-9CB1-D4A024651530}
Numerical Password:
ID: {57FA6ECB-832D-4068-B4E8-E6A4D0250796}
Password:
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
manage-bde -protectors -adbackup c: -id {57FA6ECB-832D-4068-B4E8-E6A4D0250796}
ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.
I removed this GPO link, did a gpupdate /force and another reboot to remove the settings from the GPO and receive the same problem. I have checked all other GPOs and none contain anything tat should restrict the updating of information to ADDS.
Domain and Forest Functional Level are both 2008 R2.
Thanks Christoph