Bitlocker Issue

[kunzfj]

Bitlocker issue:- Task Sequence tries to escrow the key to AD it can't read it from registry.

After deploying bitlocker i can see Bitlocker Recovery Tab on AD under the relevant PC im using for testing but there are no recovery keys and gives this message as per screenshot.

[anyweb]

have you configured features to allow for the viewing of the keys ? and permissions ? which version of Windows Server are you using ?

 

see >https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/bitlocker-recovery-password-viewer-tool

 

see also > https://blog.michaellecomber.info/2019/05/05/ad-delegate-access-to-view-bitlocker-recovery-keys/

 

Once added you should be able to review the bitlocker recovery info

If your user does not have permission to review these keys, (doman admins will already have access to view the recovery keys) but any other user will not have permissions to view the protected recovery keys. This permission has to be delegated down through the ‘Delegate Access’ wizard found in ‘AD User and Computers’.

To do this follow the below:

1. Log into AD Users and Computers
2. Make a new Security group called “Bitlocker-Recovery-Admins”
3. Add the relevant users to the group
4. Navigate to the OU where you want to start the delegation. (The computers must sit in a OU below from starting the delegation)
5. Right-click on the OU and select ‘Delegate Control’
6. In the ‘Users or Groups’ step enter the newly created ‘Bitlocker-Recovery-Admins’
7. In the ‘Tasks to Delegate’ select ‘Create a custom task to delegate’
8. In the Active Directory Object Type dialog, select Only the following objects in the folder.
9. In the list select msFVE-RecoveryInformation objects and click Next
10. For permissions set as ‘Full Control’ and select finish

Now any user in our security group will be able to view the Bitlocker recovery keys.

 

[kunzfj]

Thanks again, we've allowed above steps and also bitlocker RSAT its working, still testing it again

Edited May 6 by kunzfj