We have several Windows 10 laptops (Win10 Enterprise, most running Build 1803, here in our main office and in multiple co-locations. We are implementing BitLocker company-wide and we have a GPO that enables and (should) save the BitLocker key to Active Directory. However, for some machines it has not been saving the key. I think this is only happening on machines that were already using BitLocker because each test I've done on a new machine where the GPO enables BL it also saves the key (I've yet to see it fail even once).
For existing machines that are using BitLocker but do not have their key saved in AD, I have been running this simple PowerShell command/script, either in a PSRemoting session, or via Invoke-Command {block}
$keyID = Get-BitLockerVolume -MountPoint c: | select -ExpandProperty keyprotector |
where {$_.KeyProtectorType -eq 'RecoveryPassword'}
Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.KeyProtectorId
However, I am trying to run this against a few machines and getting this error:
Backup-BitLockerKeyProtector : The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed.
(Exception from HRESULT: 0x8031000A)
At line:1 char:1
+ Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.Ke ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Backup-BitLockerKeyProtector
I am one of the Domain Admins. I've read that this is an issue with Win10 Build 1803 here and here. However, both links just mention enabling BitLocker, not necessarily saving the BL keys to ADDS retroactively. Any help appreciated.
User contributions licensed under CC BY-SA 3.0