Group Policy denies storage of Bitlocker recovery information
hi,
i have started implement bitlocker laptops in organisation starting few test machines.
i configured gpo , applied 'test laptops' ou configured following settings:
computer configuration > policies > administrative templates > windows components > bitlocker drive encryption
- turn on bitlocker backups active directory domain services (also ticked 'require bitlocker backup adds')
computer configuration > policies > administrative templates > system > trusted platform module services
- turn on tpm backup active directory domain services (also ticked 'require tpm backup adds')
i ran gpupdate /force on test machine, rebooted measure , tried manually backing bitlocker/tpm data adds using following commands
manage-bde -protectors -get c:
volume c: []
all key protectors
tpm:
id: {c15c7dbe-956d-4f48-9cb1-d4a024651530}
numerical password:
id: {57fa6ecb-832d-4068-b4e8-e6a4d0250796}
password:
xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
manage-bde -protectors -adbackup c: -id {57fa6ecb-832d-4068-b4e8-e6a4d0250796}
error: group policy not permit storage of recovery information active directory. operation not attempted.
i removed gpo link, did gpupdate /force , reboot remove settings gpo , receive same problem. have checked other gpos , none contain tat should restrict updating of information adds.
domain , forest functional level both 2008 r2.
christoph
hi,
based on our internal knowledge base, configure gpo enable ad backup bitlocker information not enough, recovery options should configured including store bitlocker information fixed , system drives needed.
so, please enable appropriate group policy setting drives using bitlocker with. these settings are: configure how bitlocker-protected operating system drives can recovered, configure how bitlocker-protected removable data drives can recovered, configure how bitlocker-protected fixed data drives can recovered, , configure how bitlocker-protected drives can recovered (windows server 2008 , vista). when enable policy setting, select enable data recovery agent check box. there policy setting each type of drive, can configure individual recovery policies each type of drive on enable bitlocker. must enable , configure the provide unique identifiers organization policy setting associate unique identifier new drive protected bitlocker. identification fields required management of data recovery agents on bitlocker-protected drives. bitlocker manage , update data recovery agents when identification field present on drive , identical value configured on computer.
if issue persists, please try review , reconfigure settings following following microsoft article:
backing bitlocker , tpm recovery information ad ds
http://technet.microsoft.com/en-us/library/dd875529(ws.10).aspx
for more information, please refer following microsoft technet blogs:
cannot save recovery information bitlocker in windows 7
how backup recovery information in ad after bitlocker turned on in windows 7
regards,
arthur li
forum support
please remember mark replies answers if , unmark them if provide no help. if have feedback technet subscriber support, contact tnmff@microsoft.com.
please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread.
Windows Server > Group Policy
Comments
Post a Comment