As I said, it's been years since I set this up, but this was the documentation I followed for configuring everything on the AD side:
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 Note that I don't believe you can do the TPM password backup anymore, just the Bitlocker recovery password. It looks like that article talks about setting local policies to require the key backup, I'm not sure why it wouldn't mention the group policy settings, but you'll want to look in group policy under: Computer\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption There are various levels under that which contain relevant settings, but the big one will be under Operating System Drives, "Choose how BitLocker-protected operating system drives can be recovered" and inside that setting, enable the option for "Save Bitlocker recovery information to AD DS for operating system drives". On Thu, Nov 30, 2017 at 9:20 PM, Kurt Buff <[email protected]> wrote: > Good enough. I'll take a look, but if you have more specifics, I'd > appreciate it. > > Kurt > > On Thu, Nov 30, 2017 at 5:20 PM, Steve Whitcher <[email protected]> > wrote: > > Yes, this can definitely be done, I've had our environment working this > way > > for years. There is a GPO you can set to require bitlocker keys be > backed up > > to AD. If that is set, bitlocker won't encrypt the drive if it can't save > > the key to AD. > > > > It was a little bit complicated when I set it up originally, but that > was 6 > > or 7 years ago. The process may be simpler now. There was definitely a > well > > documented process on technet back then for enabling the key backup. > > > > Steve > > On Thu, Nov 30, 2017 at 6:52 PM Kurt Buff <[email protected]> wrote: > >> > >> Anyone have a clue on how to do this - without setting up MBAM? > >> > >> AFAICT, there isn't a way to do this, but I'm throwing it out here to > >> see if I'm wrong. MBAM sets my teeth on edge, needing a SQL instance > >> and all that when all I want to do is provision new machines with > >> Bitlocker and get the key set up in AD in one go, and not hassle with > >> writing the key to a file, then running another (logon) script to get > >> the key imported into AD. > >> > >> Kurt > >> > >> > > > > >
