Join Log in
Score:0
avatar Server

BitLocker Recovery Keys Not Showing in Active Directory

za flag
Anon

I have been working on this all last week and this week and have made no progress. I am working in active directory and group policy and need to store the bitlocker recovery keys in the bitlocker tab. I have followed all instructions online to get this to work. So far I have...

  • Linked it to my test environment
  • Turned enforced on
  • Turned on "Link Enabled"
  • Delegated it to multiple computers in the test environment

Within the GPO

  1. Enabled "Store bitlocker recovery information in ADDS"

  2. Enabled "Choose drive encryption and cipher strength" for all versions of windows

  3. Enabled "Require additional authentication at startup"

  4. Enabled "Enforce drive encryption type on operating system drives"

  5. Enabled "Choose how bitlocker-protected operating system drives can be recovered" and set it to...

    a. "Do not allow 48-digit recovery password"

    b. "Allow 256-bit recovery key"

    c. Checked "Save bitlokcer recovery information to AD DS for operating system drives"

    d. Store recovery passwords and key packages

Additionally, I'm not sure if this is the reason it is failing, I am trying to do this a second time. I saved the bitlocker recovery keys in AD DS for some computers a few months ago and it worked. So some of my computers in my "Computers" directory have the bitlocker keys while some do not.

Finally, I have just linked it to beyond my test environment into my domain to see if it would make a difference. But all the computers that need the recovery key are stored in active directory's default "Computers" directory, which does not allow for a GPO to be linked, so I linked the GPO to a security group with all the computers in it rather than an OU.

I can answer anything I left out and I can share pictures if that is easier for people to visualize. Thanks!!

1215
2 + 6
joeqwerty avatar
cv flag
joeqwerty
You can't link a GPO to a security group, but you can filter a GPO based on security group membership. Where is the GPO actually linked? To the root of the AD domain? If you're filtering the GPO based on group membership have you rebooted any of the computers since adding them to the security group? Is BitLocker enabled on these computers? Have you run GPRESULT to see if the GPO is being applied to the computers in question?
1
Reply
cn flag
Greg Askew
The GPO shows that recovery passwords are disabled, but recovery keys are enabled. If you are using recovery keys and not passwords, you should update the title and question to reflect that and remove references to passwords.
1
Reply
SamErde avatar
gg flag
SamErde
Is the GPO linked to the domain root or to a specific OU?
0
Reply
za flag
Anon
@joeqwerty I am currently only linking it to my test environment OU and I have delegation set to a security group containing all computers in my "Computers" directory. However, "Computers" is not an OU and therefore I can't link any GPOs to it. I could use powershell and move all the computers into an OU if that would help. I have forced updates and restarted computers as well as looked in RSOP.msc to see what happens after each forced update
0
Reply
za flag
Anon
@GregAskew done
0
Reply
za flag
Anon
@SturdyErde at the moment, the only OU it is linked to is my test environment. I have set delegation to distribute the GPO to a security group with all my computers in it (the computers in this group are not in the test environment)
0
Reply
Score:0
joeqwerty avatar Server
cv flag
joeqwerty

The computer accounts need to be in the Scope of Management of the GPO. If the computer accounts are in one OU and the GPO is linked to another OU then the GPO will not apply to the computers, regardless of your security filtering. In this case you would need to link the GPO to the OU where the computer accounts are,

If the computers are in the default Computers container and the GPO is linked to an OU then the GPO will not apply to the computers, regardless of your security filtering. In this case you would need to link the GPO to the root of the AD domain.

0 + 3
za flag
Anon
Would there be any adverse consequences if I moved all the computers that I wanted from the "Computers" directory to a separate OU? Like is there an advantage to keeping computers in there for any reason or is it just there to to be there?
0
Reply
joeqwerty avatar
cv flag
joeqwerty
It's just the default container for computer accounts in the domain. Based on what you've stated there's no need for me to go into the vagaries of GPO precedence, inheritance blocking, GPO enforcement, etc. but you probably just want to make sure that you don't have GPO inheritance blocked on the OU that you move them to.
0
Reply
za flag
Anon
thanks, I'll give this a shot!
1
Reply
Score:0
Bernd Schwanenmeister avatar Server
au flag
Bernd Schwanenmeister

What you hope to see in AD is not called recovery key, but recovery password. Since you disabled those in your quoted GPO settings, it's clear why those don't appear.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.