Forum Discussion

VickVega's avatar
VickVega
Brass Contributor
Jan 08, 2020

BitLocker encryption for remote machines

Hello,

We have created a SCCM-related Task Sequence to encrypt laptops.
As long as machine is constantly connected to the network, the GPO that dictates to save the Recovery Key to AD is properly working.
We see issues when machine disconnected from the network, (no VPN to the domain environment) is executing encryption. 
Encryption properly works and disk gets encrypted, however even after manually executing the following command:

manage-bde -protectors -adbackup c: -id {xxx}

to push the key to AD (after establishing VPN connectivity to the domain) it is NOT getting populated in the corresponding "BitLocker Recovery" tab.

The result of the command is the usual:

Recovery information was successfully backed up to Active Directory.


Is there any way to troubleshoot this issue?

 

Thank you.

  • a-ron13's avatar
    a-ron13
    Copper Contributor

    VickVegaHey,  I just wanted to say that I'm seeing the exact same thing and this is the only post I've found online for it.

     

    Other than it being able to encrypt with the GPO applied that states "Require AD DS....", like you said, I can run  "Manage-bde -protectors -adbackup C: -id {xxxx-xxxx-xxxx-xxxx)" with NO VPN and it will come back with "Recovery Information Successfully Backed Up To Active Directory"

     

    This is going to be a nightmare for rolling out encryption in a WFH scenario.

     

    Clearly a bug.

    • VickVega's avatar
      VickVega
      Brass Contributor
      a-ron13
      Sorry for the late reply.
      Completely agree, something that should have been thought of.
      • Markmani2's avatar
        Markmani2
        Copper Contributor

        VickVega 

        Its clearly a nightmare to roll out Bitlocker when users are not constantly on VPN. I know MS would recommend to go for Intune. 

Resources