Depends for which OS (cmd vs. PS).
If you just want to back up existing keys on domain joined hosts you
would have to script that.
For "first timers" you can force the backup via GPO.
I recommend also to make sure all devices have a TPM (and also correctly
configured).
Do not try to back up TPM owner information to the AD this did simply
not work and created an error.
I basically stuck to this guide (some new GPO settings for Windows 10):
https://technet.microsoft.com/en-us/library/dd875547(v=ws.10).aspx
small advice: if still on 2008R2 create a security group which you then
delegate bitlocker recovery admin rights :)
What bugs me at the moment: How to get rid of old recovery keys in AD
once the computer is reimaged cause every time there is a little bit
more garbage added to the computer-object which is now a container.
hth
Best,
Markus
On 01.12.2017 04:20, Kurt Buff wrote:
Good enough. I'll take a look, but if you have more specifics, I'd
appreciate it.
Kurt
On Thu, Nov 30, 2017 at 5:20 PM, Steve Whitcher <st...@whitcher.org> wrote:
Yes, this can definitely be done, I've had our environment working this way
for years. There is a GPO you can set to require bitlocker keys be backed up
to AD. If that is set, bitlocker won't encrypt the drive if it can't save
the key to AD.
It was a little bit complicated when I set it up originally, but that was 6
or 7 years ago. The process may be simpler now. There was definitely a well
documented process on technet back then for enabling the key backup.
Steve
On Thu, Nov 30, 2017 at 6:52 PM Kurt Buff <kurt.b...@gmail.com> wrote:
Anyone have a clue on how to do this - without setting up MBAM?
AFAICT, there isn't a way to do this, but I'm throwing it out here to
see if I'm wrong. MBAM sets my teeth on edge, needing a SQL instance
and all that when all I want to do is provision new machines with
Bitlocker and get the key set up in AD in one go, and not hassle with
writing the key to a file, then running another (logon) script to get
the key imported into AD.
Kurt
