[German]Companies using BitLocker should be careful when upgrading to Windows 10 V1803. BitLocker recovery information cannot be backed up to Active Directory (AD). Here a short hint to save you a longer troubleshooting.
Some discussion within my German blog
The topic has already been discussed within my German blog in connection with the article Windows 10 V1803 als ‘Semi-annual’ deklariert und mehr (Windows 10 V1803 is declared ‘Semi-annual’ and business ready). German blog reader Markus K. commented there:
I haven’t heard yet that the Bitlocker AD-Backup problem is fixed. Without bitlockers, nothing is “ready for business” for us.
Microsoft really doesn’t want you to configure anything and use it exactly as you get it.
German blog reader Ingo mentioned within a comment: Bitlocker hasn’t backed up keys to the AD for ages. This is probably also intended, people should use MDOP MBAM.
For those not fluent with MDOP and MBAM, Microsoft documented it here. The Microsoft Desktop Optimization Pack (MDOP) is a portfolio of technologies available as a subscription for Software Assurance customers. MDOP helps to improve compatibility and management, reduce support costs, improve asset management and improve policy control, according to Microsoft. Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface for enterprise-wide encryption of BitLocker drives.
Since I’m not active in this environment, I can’t say or judge anything about it.
Microsoft Japan has published some advice
Blog reader Markus pointed me a few days ago to a Technet article published from Microsoft Japan. The translated title is BitLocker recovery information can not be saved in AD DS in Windows 10 1803 (I’ve linked the Google Translate page). This article confirms the above issue with the BitLocker Drive Encryption feature for Windows 10 version 1803. The technology support team writes::
It is reported that BitLocker recovery information cannot be stored in Active Directory in Windows 10 version 1803. If this problem occurs, the following error message appears.
The technical team confirms, there is no problem with the configuration of the Active Directory domain service schema, when this error message occurs while running Windows 10 version 1803. So you could stop troubleshooting this issue.
This problem occurs when the following two conditions are satisfied, and it does not occur when BitLocker is activated using the domain account credentials.
- We configured BitLocker recovery information to be stored in Active Directory by Group Policy. ( see the note below)
- You have activated BitLocker using local account credentials.
According to the post, this error does not occur when BitLocker is activated using the domain account credentials
How to check Group Policy
If you enable “Save BitLocker recovery information from xxxx to AD DS” in the following three group policies, BitLocker recovery information is stored in Active Directory when BitLocker encryption is started.
– Group Policy Name
[Select the recovery method for the BitLocker-protected operating system drive].
[Select the recovery method for the BitLocker-protected fixed data drive].
]Select how BitLocker-protected removable drives are to be recovered].
How to work around the problem
This problem occurs when you use local account credentials and there is no workaround for storing BitLocker recovery information in Active Directory with a local account. This can be remedied by enabling BitLocker in one of the following ways.
- Activate BitLocker with the domain administrator account.
- If the domain administrator account is unavailable, temporarily place the domain account in the local Administrators group and enable BitLocker.
The original article in Japanese is available at Technet Japan. Perhaps this will help some administrators affected to spare them additional troubleshooting.