Jump to content

Sign in to follow this  

Strange Behavior on Writing Bitlocker key to AD

Recommended Posts

The writing of the Bitlocker key to AD has been working flawlessly... until we started to receiving machines with SSD drives in them. The task sequence works flawlessly with no errors. The problem is the bitocker recovery tab within AD is empty. I can run the manual way (https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/ ) and it will input the data in to ad, but I do not want to have to do this :).


The real strange thing is if I remove the machine from AD, and reimage it, the key properly registers itself within AD. Only on the second pass will it work?

Share this post

Link to post
Share on other sites

I had similar issues, the BDE recovery key would inconsistently be written to AD (usually not at all). You were _very close_ with the link you pasted. Yes, it has manual steps in the discussion but there is a lead-up to an automated script at the bottom, it's a link - look carefully for it below the authors' signatures: "BDEAdBackup.vbs"


I've tried this script by inserting it as a new command line task in my sequence toward the very bottom, after I've already enabled BitLocker. If you do it too fast there may not be key data ready to write to AD. In my case, it solved the issue.


I usually kick it off by running: cscript.exe %SCRIPTROOT%\Custom\BDEAdBackup.vbs


Original blog post with that script link is: https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/


Your mileage may vary. Good luck.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this