Share via

Backup-BitLockerKeyProtector : backup error

Anonymous
2024-02-03T19:00:24+00:00

Hi,

We have several older Windows 10 systems (no tpm) that have sensitive data on a non system drive.

We are able to encrypt data drives, but Bitlocker recovery is not getting saved to AD. The error we are getting states that GPO does not allow storage, however this is not true.

Backup-BitLockerKeyProtector : Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted.

I see many posts on the internet with people having the same problem and none of the offered solutions have worked for us.

What could be the next troubleshooting step?

Windows Server Devices and deployment Recovery key

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-05T06:09:08+00:00

    Hello net_tech,

    based on the error message you provided, it seems that there may be a Group Policy setting preventing the storage of recovery information to AD.

    One troubleshooting step you can try is to check the Group Policy settings on the affected systems to ensure that they allow the storage of recovery information to AD. You can do this by following these steps:

    1. Open the Group Policy Editor by typing "gpedit.msc" in the Run dialog box (press Windows key + R to open the Run dialog box).
    2. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives (or Fixed Data Drives, if that's what you're encrypting).
    3. Check the "Choose how BitLocker-protected operating system drives can be recovered" (or "Choose how BitLocker-protected fixed data drives can be recovered") setting to ensure that it's configured to allow recovery information to be stored in AD.
    4. If the setting is not configured or is set to "Do not allow 48-digit recovery password", "Omit recovery options from the BitLocker setup wizard", or "Save BitLocker recovery information to AD DS for operating system drives", then recovery information will not be stored in AD. Change the setting to "Allow 48-digit recovery password", "Require 256-bit recovery key", or "Save BitLocker recovery information to AD DS for operating system drives and fixed data drives" to allow recovery information to be stored in AD.

    If the Group Policy settings are already configured correctly, then there may be another issue preventing the backup of BitLocker recovery keys to AD. In that case, you may need to consult with a Microsoft support professional (Global Customer Service phone numbers - Microsoft Support) for further assistance.

    Hope it helps.

    Regards,

    Lei

    0 comments