Must a pc reside in the Bitlocker OU for a key to be written to AD? RRS feed

  • Question

  • I'm testing out Bitlocker within MDT. This is what I notice in AD when manually encrypting a pc:

    Manually move a pc to the Bitlocker OU, encrypt and a key appears in the Recovery tab.
    Move the pc to another OU and the tab remains but the key is gone.
    Move it back and the key reappears.

    So, by imaging a pc in MDT, it must be in only one specific OU to join to our domain. If I'm going to try to encrypt it, it must also be in the Bitlocker OU for the key to be written.

    My question is: If the pc is in the Join-to-domain OU and I try to write a key to AD, the key is missing. If I then move it to our Bitlocker OU, the key still doesn't appear, but checking the status of Bitlocker on the pc shows the option to Suspend it.

    What would be the best approach to image in one OU but allow MDT to generate a correct key in our Bitlocker OU? Yes, this is confusing but is something I'm tasked with.

    Thursday, June 27, 2019 12:12 PM


All replies

  • I moved a pc to the Bitlocker OU and kicked off an image deploy. It did write a working recovery key to the Bitlocker OU and the key worked, but during the deployment, the pc stalled at the security warning screen and required me to click OK to move on.

    This is my issue. I can't get passed that screen. I could in Win7 with an entry in the unattend.

    The opposite situation is the same: If I get passed this screen, I have to move my pc to the initial OU in order to run Windows Updates. It's a maze.

    Thursday, June 27, 2019 12:45 PM
  • I will repost this with a more specific question.
    • Marked as answer by the1rickster Thursday, June 27, 2019 1:23 PM
    Thursday, June 27, 2019 1:22 PM