locked
Bitlocker Backup to AD Fails with FIPS warning - FIPS is disabled RRS feed

  • Question

  • I am currently unable to backup recovery information to Active Directory from any of my Windows 7 machines.

    The error I am receiving is "Group Policy setting requiring FIPS compliance prevents recovery password from being saved to Active Directory"

    I have the FIPS group policy "System cryptography: Use FIPS compliant algorithms" set to disabled for the entire domain, and have run an RSOP on the machines which shows that the policy is not enabled anywhere else.

    In the local group policy on the machines it shows that FIPS is disabled as well.

    Help!

    Wednesday, April 6, 2016 4:31 PM

Answers

  • Hi TheWaker1,

     

    Based on your description, we may try to reset Group Policy and re-update to check the result.

     

    RD /S /Q "%WinDir%\System32\GroupPolicyUsers"

    RD /S /Q "%WinDir%\System32\GroupPolicy"

    gpupdate /force

     

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by TheWaker1 Thursday, April 7, 2016 7:06 PM
    Thursday, April 7, 2016 11:49 AM

All replies

  • Good Day 
    Please take a look at this 
    BitLocker Group Policy Settings

    Hope this works
    Regards

    Wednesday, April 6, 2016 4:56 PM
  • Already have the settings for Group Policy backup in place:


    • Edited by TheWaker1 Wednesday, April 6, 2016 5:13 PM
    Wednesday, April 6, 2016 5:12 PM
  • Are you using MBAM or just Bitlocker?
    The only difference that i notice from your GP to mine is that i have the Omit recovery options Enabled
    and the FIPS policy set to Not Defined
    So i suggest to change the FIPS Policy to Not Defined



    Wednesday, April 6, 2016 5:43 PM
  • Just bitlocker. I had FIPS set to "Not Defined" previously received the error. Setting it to Disabled to solve the problem didn't fix it.
    Wednesday, April 6, 2016 5:46 PM
  • https://social.technet.microsoft.com/Forums/de-DE/01d79491-2a11-431f-a2e8-40c228d747cc/win81-enterprise-bitlocker-aktivieren-fips-verhindert-dies-also-vielleicht?forum=windows8de suggests that this is a bug. In that thread, the error message appears although the drive is being encrypted AND the event log logs that "BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services."

    So please look at the event log and also at the computer object in AD, maybe the key is already there.

    Wednesday, April 6, 2016 9:25 PM
  • Hi TheWaker1,

     

    Based on your description, we may try to reset Group Policy and re-update to check the result.

     

    RD /S /Q "%WinDir%\System32\GroupPolicyUsers"

    RD /S /Q "%WinDir%\System32\GroupPolicy"

    gpupdate /force

     

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by TheWaker1 Thursday, April 7, 2016 7:06 PM
    Thursday, April 7, 2016 11:49 AM
  • I am thinking a corrupt group policy object caused this. I've done the above on the laptops and they're able to encrypt again.
    Thursday, April 7, 2016 7:07 PM