none
Bitlocker Active Directory Backup RRS feed

  • Question

  • I recently was tasked with setting up a Bitlocker infrastructrure for Windows 8.1 computers that we will be deploying to our staff. I am using MDT 2013 to deploy the OS and enable/configure Bitlocker. GPOs are configured in the client computer OUs to force AD backup of recovery information. I have also configured MDT with the property 'BDERecoveryKey=AD'. I followed all instructions here:

    http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx

    to ensure that computers had the appropriate permissions. 

    during testing AD backup of recovery information has worked flawlessly. However, when our support techs began imaging recently I have found that the AD backup is about 50/50. Some computers have successfully backed up their keys and others have not. The process is the same on every computer and they are all dumped into an initial OU (not the computers container) at deployment time.

    I can't tell any difference between computers that have backed up their keys and those that have not. Bitlocker deployment is successful and encryption is on. I have found no errors in the client computer's logs that indicate a problem. 

    Does anyone have any ideas what may be happening or where I can look to troubleshoot this? Thanks!

    Tuesday, April 15, 2014 2:11 PM

Answers

  • I have traced this down to a Group Policy issue. It seems that some machines that we image get Group Policy immediately after setup and others are delayed. I can't yet determine what causes this, but if the Enabled Bitlocker task runs prior to GP being applied then the key is not backed up. I simply added a task right before this that runs GPUpdate and it seems to be working. About 30 computers have been imaged since this change and all of them have backed up their Recover Passwords to AD. 

    Has anyone experienced this before? I wonder whether I should add a GPUpdate task to all my task sequences just to be safe in the future.

    Thanks for you help!

    • Marked as answer by Matt McNabb Wednesday, April 16, 2014 8:03 PM
    Wednesday, April 16, 2014 8:03 PM

All replies

  • Yes check the logfiles of the machines that didn't save the key into AD.

    You can find the logfiles on the following location: C:\Windows\TEMP\OSDLogs

    That should always be your first starting point for troubleshooting.


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Tuesday, April 15, 2014 2:59 PM
  • ZTIBDE.log has no errors. The MDT task sequence should not complete until Bitlocker has been enabled and GPO prevents Bitlocker from being enabled if AD backup is not successful. It seems to me that this should prevent any possibility of enabling Bitlocker without an AD backup but is definitely not the case.

    One further question - are there any scenarios where domain admins do not have access to view Bitlocker recovery info? Again, all affected computers are essentially the same so I can't see permissions being the issue, but it's worth investigating right? 

    Thanks!

    Tuesday, April 15, 2014 4:36 PM
  • I have traced this down to a Group Policy issue. It seems that some machines that we image get Group Policy immediately after setup and others are delayed. I can't yet determine what causes this, but if the Enabled Bitlocker task runs prior to GP being applied then the key is not backed up. I simply added a task right before this that runs GPUpdate and it seems to be working. About 30 computers have been imaged since this change and all of them have backed up their Recover Passwords to AD. 

    Has anyone experienced this before? I wonder whether I should add a GPUpdate task to all my task sequences just to be safe in the future.

    Thanks for you help!

    • Marked as answer by Matt McNabb Wednesday, April 16, 2014 8:03 PM
    Wednesday, April 16, 2014 8:03 PM