Cannot Save Recovery Information for Bitlocker in Windows 7

Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover How to enable Bitlocker in Windows 7 and avoid one of the most common issues we see when enabling Bitlocker using GPOs.

A common problem we have seen since the release of Windows 7 has been in properly capturing the Bitlocker recovery keys in Active Directory. This is most likely due to incorrect policies settings for Bitlocker using GPO.

How to enable Bitlocker using GPO.

1. Open Group Policy Management Console and create a new Group Policy.

2. Right click on the policy and click Edit; you will see a Group Policy Management Editor window.

3. Expand Computer Configuration à Policies àAdministrative Templates à Windows Components à Bitlocker Drive Encryption.

You should see the below policy options for Bitlocker:

image

4. The policy we need to configure is: Provide Unique Identifiers for your organization.

 

5. Under the Fixed Data Drive section ; Enable the below two policies as shown below. For more information on each policy refer to the Help tab for each policy.

image

6. Under the Operating System Drive section : Enable the below three policies as shown below. For more information on each policy refer to the Help tab for each policy.

      image

· Require additional authentication at startup – Set this policy as per your requirement.

Configure TPM Startup; Configure TPM Startup PIN; Configure TPM Startup Key; Configure TPM Startup Key and PIN.

I f you want to use TPM + PIN as the startup type, see screen shot below.

                       image

7. Under the Removable Data Drives section: Enable the three policies as shown below. For more information on each policy refer to the Help tab for each policy.

image

8. Turn on TPM Backup to AD Domain Services.

In Group Policy Management Editor; Expand Computer Configuration à Policies àAdministrative Templates à System à Trusted Platform Module Service

                          image

Apply the policy to the specific OU or Domain where on the computers you want to be enable Bitlocker.

Run gpupdate /force on the client machine and run rsop.msc to see if the policies are applied.

If you don’t see the msFVE-RecoveryInformation in AD, most likely the policies are not set correctly. Also you can use Bitlocker AD Recovery Password Viewer to view the Recovery Password.

For a video walkthrough of the steps in this blog, check out the following video. NOTE: It’s best viewed in full-screen high resolution.

 

Manoj Sehgal
Senior Support Engineer
Microsoft Enterprise Platforms Support