Bitlocker Recovery Keys not showing in active directory suite

I recently asked this same question here about a month ago -> BitLocker Recovery Keys Not Showing in Active Directory

But things have changed now and I am still getting the same results. I am going to go as into detail as I can for this post so I don't have to make any more posts (hopefully).

Ok, so we need to store these keys on AD to meet DoD requirements and I wrote a little bit of Java to find out how many we have. After running my Java we have 97 out of 230 computers that have a stored key in AD.

I created a group policy for bitlocker and named it "GP - Bitlocker"

The first settings I changed are in this directory: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Bitlocker Drive encryption

"Store bitlocker recovery information in active directory domain service"

"Choose Drive Encryption Method and Cipher Strength (Windows 8 / Server 2012)"

"Choose Drive Encryption Method and Cipher Strength (Windows 10)"

"Choose Drive Encryption Method and Cipher Strength (Windows Server 2008, Windows 7)"

Additionally I have changed settings in ../Operating System Drives (the .. being the previous directory)

"Require additional authentication at startup"

"Enforce drive encryption type on operating system drives"

"Choose how BitLocker-protected operating system drives can be recovered"

As for where the group policy is linked, it is stored in a directory with all of my other group policies that we have on our domain named "Group Policy Objects." It was linked to all OUs that we wanted to have the GP enabled but we took it off because it wasn't working and we wanted to only run tests on limited computers.

At the moment, "GP - Bitlocker" is linked to 2 OUs, "Test_Environment" and "Not known." Not known is an OU with real people's computers on our domain with an unspecified department and test_environment is just temporary computers that we use to test GPs.

"Not Known" had 4/16 computers with a stored key and test_enivronment has 1/4 computers with a stored key.

Our scope for the GP

Right now what we are thinking is that since many of our employees don't consistently connect to the VPN or even log onto their computers, they aren't able to get the GP update. We are a construction company and as such, we have many people who work out in the field for months at a time and don't use their computers. However, I think 97 should be more around 180 or so to be accurate to those who have computers in the field. If I am missing any information please let me know and I will be happy to fill in the gaps.

Nick, when you asked your first question, your setting for recovery passwords (the 48 digit key that appears in the AD computer ovbject on the bitlocker recovery tab) were: "Do not allow 48-digit recovery password"

Now you changed that to require the recovery passwords. However, as these systems are encrypted already, these passwords will never make it to AD (as they are saved only at the moment of encryption and NOT afterwards), unless you manually make them. That should be done using a script that you deploy as immediate schedule task, for example batch code for c: drives:

for /f "tokens=1,2" %%a in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr ID') do manage-bde -protectors -adbackup c: -id %%b