none
MDT 2013 - Storing Bitlocker Recovery Keys in AD for Win7Enterprise Deployment RRS feed

  • Question

  • I've been lurking through threads on TechNet and other various blogs on how to get my Win7 task sequence to enable bitlocker and send the recovery keys up to AD.  As many of you, my AD and GPO environment is unique - in particular our Legal Notice is set in the Default Domain policy so found early on that my MDT sequence was breaking very quickly.  Found the following set of tools and sequence steps and have been working like a charm so far:  <http://blogs.msdn.com/alex_semi/archive/2009/08/28/avoiding-legan-notice-that-breaks-mdt-autologon.aspx - that part is done. Good...

    Now the Enabling of Bitlocker in my task:

    We're a Lenovo shop so I have the scripts to set TPM to active.

    I've followed all the items here < https://technet.microsoft.com/en-us/library/dn744301.aspx > and setup my Bitlocker GPO.  Here is an output of the policy via registry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
    "ActiveDirectoryBackup"=dword:00000001
    "RequireActiveDirectoryBackup"=dword:00000000
    "ActiveDirectoryInfoToStore"=dword:00000001
    "OSRecovery"=dword:00000001
    "OSManageDRA"=dword:00000001
    "OSRecoveryPassword"=dword:00000002
    "OSRecoveryKey"=dword:00000002
    "OSHideRecoveryPage"=dword:00000000
    "OSActiveDirectoryBackup"=dword:00000001
    "OSActiveDirectoryInfoToStore"=dword:00000001
    "OSRequireActiveDirectoryBackup"=dword:00000001
    "UseAdvancedStartup"=dword:00000001
    "EnableBDEWithNoTPM"=dword:00000000
    "UseTPM"=dword:00000001
    "UseTPMPIN"=dword:00000000
    "UseTPMKey"=dword:00000000
    "UseTPMKeyPIN"=dword:00000000

    Here's a snippet of my cs.ini:
    [Laptop-True]
    BDEInstall=TPM
    BDEInstallSuppress=NO
    BDEWaitForEncryption=FALSE
    BDEDriveLetter=S:
    BDEDriveSize=2000
    BDERecoveryKey=AD
    ;BDERecoveryPassword=TRUE
    BDEKeyLocation=\\myunc\bitlockerkeys$

    I have tried numerous solutions but haven't had luck.  Here is what I've tried so far:

    • Early in the State Restore section, have the steps that Enable TPM using Lenovo Scripts, regedit /s the regvalues posted above and restart.  Install my applications with reboots in between, join the domain and enable bitlocker = machine is encrypted, recovery key in \\myunc\bitlockerkeys$ but nothing in AD.  If I keep "OSRequireActiveDirectoryBackup"=dword:00000001 with 1 Bitlocker is paused/suspended once in Windows.  Need to manually start it.  If its changed to "OSRequireActiveDirectoryBackup"=dword:00000000, system is encrypted (or almost finished) when its booting after the TS is done.
    • Tried doing a gpupdate /force after recovering from the domain and before enabling Bitlocker but that breaks MDT since I have GPOs that are set to remove all local admin accts
    • After domain join, and enabling bitlocker, ran the below script which will force the recovery keys to AD here http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx

    I've looked at my BDD.log and smsts.logs and nothing states where the issue lies.  Are there any other logs or tips/hints someone could direct me to in order to get this working?

    Thanks in advance!


    • Edited by CapnJax21 Thursday, July 30, 2015 2:19 AM grammar
    Thursday, July 30, 2015 2:18 AM

All replies