Windows 7 AD Bitlocker backup
-
Thursday, October 29, 2009 11:47 AMHi,
I'm trying to get Bitlocker on Windows 7 to backup to a Server 2008 R2 domain for testing.
I have followed the intructions here http://technet.microsoft.com/en-us/library/dd875529%28WS.10%29.aspx and most things have gone well, but things start go wrong at the To perform the sample test section.
I have got to step 15 of the test section and entered manage-bde -protectors -adbackup C:
It firstly asks for the bitlocker ID which the instructions don't mention. I found this and entered it and ran the command again including the ID field, an then get the following error Group policy does not permit the storage of recovery information to Active Directory.
I have a GPO inplace to force bitlocker and TPM to backup to AD, can anyone shed any light on this error?
Answers
-
Thursday, October 29, 2009 12:05 PM Paul,
make sure to implement steps described in the To enable the local policy settings to back up BitLocker and TPM recovery information to Active Directory section of http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx
hth
Marcin- Marked As Answer by Paul Cranness Thursday, October 29, 2009 2:16 PM
All Replies
-
Thursday, October 29, 2009 12:05 PM Paul,
make sure to implement steps described in the To enable the local policy settings to back up BitLocker and TPM recovery information to Active Directory section of http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx
hth
Marcin- Marked As Answer by Paul Cranness Thursday, October 29, 2009 2:16 PM
-
Thursday, October 29, 2009 12:19 PM
Hai,
These things I have found after a web research.
Administrators can use Group Policy to configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker.
Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor.
To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the drives that you are using BitLocker with.
These settings are:
Configure how BitLocker-protected operating system drives can be recovered
Configure how BitLocker-protected removable data drives can be recovered
Configure how BitLocker-protected fixed data drives can be recovered
Configure how BitLocker-protected drives can be recovered (Windows Server 2008 and Vista).
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy setting for each type of drive, so you can configure individual recovery policies for each type of drive on which you enable BitLocker. You must also enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is protected with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will manage and update data recovery agents only when an identification field is present on a drive and is identical to the value configured on the computer.
regards from www.windowsadmin.info
ManuPhilip -
Thursday, October 29, 2009 2:17 PM
Thanks guys, both of you were right, configured the Group Policy and eveything is working as expected.
.png){kind=spacer}
