Thanks for this. I'm working with it now, and I think a GPO that includes a powershell script might work.
Kurt On Fri, Dec 1, 2017 at 12:44 PM, Steve Whitcher <[email protected]> wrote: > As I said, it's been years since I set this up, but this was the > documentation I followed for configuring everything on the AD side: > > https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 > > Note that I don't believe you can do the TPM password backup anymore, just > the Bitlocker recovery password. > > It looks like that article talks about setting local policies to require the > key backup, I'm not sure why it wouldn't mention the group policy settings, > but you'll want to look in group policy under: > Computer\Policies\Administrative Templates\Windows Components\Bitlocker > Drive Encryption > > There are various levels under that which contain relevant settings, but the > big one will be under Operating System Drives, "Choose how > BitLocker-protected operating system drives can be recovered" and inside > that setting, enable the option for "Save Bitlocker recovery information to > AD DS for operating system drives". > > On Thu, Nov 30, 2017 at 9:20 PM, Kurt Buff <[email protected]> wrote: >> >> Good enough. I'll take a look, but if you have more specifics, I'd >> appreciate it. >> >> Kurt >> >> On Thu, Nov 30, 2017 at 5:20 PM, Steve Whitcher <[email protected]> >> wrote: >> > Yes, this can definitely be done, I've had our environment working this >> > way >> > for years. There is a GPO you can set to require bitlocker keys be >> > backed up >> > to AD. If that is set, bitlocker won't encrypt the drive if it can't >> > save >> > the key to AD. >> > >> > It was a little bit complicated when I set it up originally, but that >> > was 6 >> > or 7 years ago. The process may be simpler now. There was definitely a >> > well >> > documented process on technet back then for enabling the key backup. >> > >> > Steve >> > On Thu, Nov 30, 2017 at 6:52 PM Kurt Buff <[email protected]> wrote: >> >> >> >> Anyone have a clue on how to do this - without setting up MBAM? >> >> >> >> AFAICT, there isn't a way to do this, but I'm throwing it out here to >> >> see if I'm wrong. MBAM sets my teeth on edge, needing a SQL instance >> >> and all that when all I want to do is provision new machines with >> >> Bitlocker and get the key set up in AD in one go, and not hassle with >> >> writing the key to a file, then running another (logon) script to get >> >> the key imported into AD. >> >> >> >> Kurt >> >> >> >> >> > >> >> >
