none
ERROR: Group policy does not permit the storage of recovery information

    General discussion

  • We able to Bitlock on new machines manually but machines previously encrypt we get this error.  We have Group policy configured as per Configuring AD to Back up BitLocker and TPM Recovery Information but we get this error:

    c:\>Manage-BDE.exe -protectors -adbackup C: -ID {33EDA600-22CF-44CE-AD08-48A9768
    A9241}
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.

    ERROR: Group policy does not permit the storage of recovery information
    to Active Directory. The operation was not attempted.

    Friday, July 08, 2011 2:45 PM

All replies

  • IS this Vista? Are you seeing the same issues with Windows 7?

     

    Please refer:

    BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx

     

    What if BitLocker is enabled on a computer before the computer has joined the domain?

    You might wonder what happens if BitLocker is enabled on a computer before Group Policy has been applied to enforce backup. Will the recovery information automatically be backed up to Active Directory when the computer joins the domain or when Group Policy is subsequently applied?

    This functionality is not available in Windows Vista. Generally, joining a computer to the domain is the first step for new computers within an enterprise.

    The BitLocker Windows Management Instrumentation (WMI) interface allows administrators to write a script to back up or synchronize an online client's existing recovery passwords. An administrative account can list the recovery passwords of an unlocked volume by using the GetKeyProtectorNumericalPassword method of the BitLocker WMI interface or the "-protectors -get" parameters of the BitLocker command-line tool (manage-bde.wsf).


    Sumesh P - Microsoft Online Community Support
    Wednesday, July 13, 2011 11:12 AM
  • Configure Group Policy to enable backup of BitLocker and TPM recovery information in Active Directory

    These instructions are for configuring the local policy on a Windows Vista client computer. In a production environment, you would likely edit a Group Policy object (GPO) that applies to computers in the domain instead.

    For more information about configuring Windows Vista GPO in the domain, see the "Managing Group Policy ADMX Files Step by Step Guide" (http://go.microsoft.com/fwlink/?LinkId=79653).

    noteNote
    We recommend that you keep the default options when you enable each Group Policy setting. Be sure to read the Explain text before making any changes
    To enable the local policy settings to back up BitLocker and TPM recovery information to Active Directory
    1. Log on to the computer as an administrator.

    2. Click Start, type the following in the Start Search box, and then click ENTER:

      gpedit.msc

    3. To enable Group Policy settings to back up BitLocker recovery information to Active Directory:

      1. Open Computer Configuration, open Administrative Templates, open Windows Components, and then open BitLocker Drive Encryption.
      2. In the right pane, double-click Turn on BitLocker backup to Active Directory.
      3. Select the Enabled option.
      4. Verify that the Require BitLocker backup to AD DS check box is selected.
    4. Enable Group Policy setting to back up TPM recovery information to Active Directory.

      1. Open Computer Configuration, open Administrative Templates, open System, and then open Trusted Platform Module Services.
      2. In the right pane, double-click Turn on TPM backup to Active Directory.
      3. Select the Enabled option.
      4. Verify that the Require TPM backup to AD DS check box is selected.

    Sumesh P - Microsoft Online Community Support
    Wednesday, July 13, 2011 11:16 AM
  • Backing Up BitLocker and TPM Recovery Information to AD DS

    http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx#BKMK_2

     

     


    Sumesh P - Microsoft Online Community Support
    Wednesday, July 13, 2011 11:18 AM
  • BitLocker Drive Encryption in Windows 7: Frequently Asked Questions http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_ADRetro

     

    What if BitLocker is enabled on a computer before the computer has joined the domain?

     

    If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, in Windows 7 you can use the Choose how BitLocker-protected operating system drives can be recovered, Choose how BitLocker-protected fixed drives can be recovered and Choose how BitLocker-protected removable drives can be recovered Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.

    The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The Manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: manage-bde –protectors -adbackup C:.

    ImportantImportant

    Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).

     

     

     


    Sumesh P - Microsoft Online Community Support
    Wednesday, July 13, 2011 11:27 AM
  •   I also tried the script at this location

    http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx

     We atill have the error. Also we do NOT want to enforce being required to be attached to Domain when it is invoked, so for Group Policy for both Bitlocker & TPM, item #4 on both is not enforced. We have run the script cscript Add-TPMSelfWriteACE.vbs from http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx#BKMK_2 to allow for this ACE, so where is the issue, why can we not simply backup Bitlocker Key + TPM from a machine that has it enabled prior to the current AD having the updated schema and ACE. Now that we have updated the schema (iupgrade to 2008 R2 schema + run the TPM script). So for all new machines joined, now the AD is able to take Bitlocker key + TPM, we can start new but we still need to deal with the legacy devices. It seems only option is to disable bitlocker, decrypt, turn off TPM, start all over again.

     This command 'That 'age-bde –protectors -adbackup C:." doesn't seem to get the TPM info?'


    Until later .... Brett
    Thursday, January 12, 2012 12:09 AM
  • There is one other GPO setting that needs to be enabled to allow you to backup your key to AD for volumes that are encrypted prior to joining AD or before the "Store BitLocker recovery information in Active Directory Domain Services" is enabled.

    In "Computer Configuration\Policies\Administrative Templates\Windows Components\BitLockerDriveEncryption" open the "Fixed Data Drives", "Operating System Drives" or "Removable Data Drives" folder depending on the drive for which you are trying to backup the keys. Locate the "Choose how BitLocker-protected [fixed data/operating system/removable] drives can be recovered" setting and open it.  Enable the setting and make sure that "Save BitLocker recovery information to AD DS..." is checked. 


    Monday, September 30, 2013 4:55 PM