BitLocker encryption for remote machines

%3CLINGO-SUB%20id%3D%22lingo-sub-1097028%22%20slang%3D%22en-US%22%3EBitLocker%20encryption%20for%20remote%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097028%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EWe%20have%20created%20a%20SCCM-related%20Task%20Sequence%20to%20encrypt%20laptops.%3CBR%20%2F%3EAs%20long%20as%20machine%20is%20constantly%20connected%20to%20the%20network%2C%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fbitlocker%2Fbitlocker-and-adds-faq%23what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGPO%3C%2FA%3E%20that%20dictates%20to%20save%20the%20Recovery%20Key%20to%20AD%20is%20properly%20working.%3CBR%20%2F%3EWe%20see%20issues%20when%20machine%20disconnected%20from%20the%20network%2C%20(no%20VPN%20to%20the%20domain%20environment)%20is%20executing%20encryption.%26nbsp%3B%3CBR%20%2F%3EEncryption%20properly%20works%20and%20disk%20gets%20encrypted%2C%20however%20even%20after%20manually%20executing%20the%20following%20command%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3Emanage-bde%20-protectors%20-adbackup%20c%3A%20-id%20%7Bxxx%7D%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Eto%20push%20the%20key%20to%20AD%20(after%20establishing%20VPN%20connectivity%20to%20the%20domain)%20it%20is%20NOT%20getting%20populated%20in%20the%20corresponding%20%22BitLocker%20Recovery%22%20tab.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20result%20of%20the%20command%20is%20the%20usual%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3ERecovery%20information%20was%20successfully%20backed%20up%20to%20Active%20Directory.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIs%20there%20any%20way%20to%20troubleshoot%20this%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406048%22%20slang%3D%22en-US%22%3ERe%3A%20BitLocker%20encryption%20for%20remote%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406048%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F436715%22%20target%3D%22_blank%22%3E%40VickVega%3C%2FA%3EHey%2C%26nbsp%3B%20I%20just%20wanted%20to%20say%20that%20I'm%20seeing%20the%20exact%20same%20thing%20and%20this%20is%20the%20only%20post%20I've%20found%20online%20for%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20than%20it%20being%20able%20to%20encrypt%20with%20the%20GPO%20applied%20that%20states%20%22Require%20AD%20DS....%22%2C%20you%20can%20run%26nbsp%3B%20%22Manage-bde%20-protectors%20-adbackup%20C%3A%20-id%20%7Bxxxx-xxxx-xxxx-xxxx)%22%20with%20NO%20VPN%20and%20it%20will%20come%20back%20with%20%22Recovery%20Information%20Successfully%20Backed%20Up%20To%20Active%20Directory%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClearly%20a%20bug.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,

We have created a SCCM-related Task Sequence to encrypt laptops.
As long as machine is constantly connected to the network, the GPO that dictates to save the Recovery Key to AD is properly working.
We see issues when machine disconnected from the network, (no VPN to the domain environment) is executing encryption. 
Encryption properly works and disk gets encrypted, however even after manually executing the following command:

manage-bde -protectors -adbackup c: -id {xxx}

to push the key to AD (after establishing VPN connectivity to the domain) it is NOT getting populated in the corresponding "BitLocker Recovery" tab.

The result of the command is the usual:

Recovery information was successfully backed up to Active Directory.


Is there any way to troubleshoot this issue?

 

Thank you.

3 Replies

@VickVegaHey,  I just wanted to say that I'm seeing the exact same thing and this is the only post I've found online for it.

 

Other than it being able to encrypt with the GPO applied that states "Require AD DS....", like you said, I can run  "Manage-bde -protectors -adbackup C: -id {xxxx-xxxx-xxxx-xxxx)" with NO VPN and it will come back with "Recovery Information Successfully Backed Up To Active Directory"

 

This is going to be a nightmare for rolling out encryption in a WFH scenario.

 

Clearly a bug.

@a-ron13
Sorry for the late reply.
Completely agree, something that should have been thought of.

@VickVega 

Its clearly a nightmare to roll out Bitlocker when users are not constantly on VPN. I know MS would recommend to go for Intune.