Hi
I am having an issue with Bitlocker writing the recovery key back to AD – (Being enabled from a MDT task sequence).
MDT Version: 2013 6.3.8456.1000 (January 25th 2019)
Windows Client Version (deployed too): 1903
In my task sequence – State Restore, I have a step to Enable BitLocker:
Choose the drive to encrypt: Current operating system drive
Key Management: TPM only
Choose where to create the recover key: In active directory
The drive encrypts but I get left with the recovery key written to a .txt file to the root of the C drive and nothing in AD.
I have ruled out it being AD schema related (Server 2012R2) as have existing recovery keys written to AD by manually enabling bitlocker on machines.
I have the corresponding GP’s applied (to the correct OU where the computer is) to write the recover key to AD.
So what I have noticed is that if I put a pause in the TS just before enabling bitlocker, and do a manual gpupdate /force direct from the OS, and then continue, bitlocker enables and writes the key to AD. It definitely appears to be the situation that the GP hasn’t applied during deployment and as a result, the OS hasn’t got the necessary settings to write to AD.
(There are no Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE reg keys prior to gpupdating).
Has anyone else experienced this? I have read that gpupdate /force is not possible from a task sequence which has left me ‘scratching my head’ a bit………..
Thanks
Tom