BitLocker is quickly becoming standard in Kraft Kennedy’s Windows 7 deployments for clients with Windows 7 Enterprise licenses. BitLocker is easy to configure and enable automatically during MDT or SCCM workstation builds. Enabling BitLocker automatically via 3rd party tools is also rather simple. Combined with ease of deployment, BitLocker’s ability to backup encryption recovery keys in Active Directory make it a very attractive option for clients looking to implement manageable desktop and laptop encryption.
Microsoft provides ample documentation describing the process for enabling Bitlocker in the enterprise. There are only a half a dozen or so steps required to prepare then Active Directory environment and then a few minor modifications to the SCCM or MDT task sequence to enable BitLocker during builds. In the field I have found there is one area where the BitLocker documentation is lacking and thought I would share this tip.
When enabling backup of Bitlocker Recovery key information in Active directory it is required that Group Policy be configured in order to turn on the Active Directory backup feature of BitLocker on the worstation itself. The Microsoft guide for preparing and configuring Active Directory can be found HERE.
Unfortunately the guide does not provide complete information for Group Policy configuration. Following the guide will result in two group policy settings being configured, one for TPM recovery keys and one for BitLocker recovery keys. Six group policy settings are required in order to properly configure Active Directory backup of BitLocker keys. This requirement is not clearly detailed in the Microsoft documentation. If these policy settings are missing and you attempt to save BitLocker recovery information to Active Directory via the “manage-bde -protectors -adbackup c: -id {device id}” command line you will receive the following error:
ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.
Additionally, searches for recovery key information in Active Directory BitLocker Recovery Key Viewer will not return any results.
Resolution:
Verify all of the following group policies are configured and present on the workstation, then retry saving BitLocker recovery information to Active Directory via the “manage-bde -protectors -adbackup c: -id {device id}” command:
- Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
- Configure how BitLocker-protected operating system drives can be recovered
- Configure how BitLocker-protected removable data drives can be recovered
- Configure how BitLocker-protected fixed data drives can be recovered
- Configure how BitLocker-protected drives can be recovered (Windows Server 2008 and Vista)
And finally, for the TPM:
- Turn on TPM Backup to Active Directory Domain Services
If you do not know the device id then run the “manage-bde -protectors -get c:” command, replacing “c” with the drive letter of the device in question. If all of these settings have been configured properly and BitLocker is successfully enabled you will see the following event in the system log: