Home > Questions

Unable to save the BitLocker recovery key to Active Directory, what should I do?

We're trying to deploy BitLocker for an org and are having an issue where some computers fail to back up the BitLocker recovery key to AD and, consequently, do not encrypt the hard drives. The weirdest thing is that only SOME of the computers fail to back up the key. Others are just fine. Any ideas what can be happening and what can I do?

Best Answered by

iBoysoft author Ciki Liu

Ciki Liu

Answered on Thursday, January 12, 2023

 

In your case, you should check if the BitLocker Group Policy settings are applied to those two faulty computers. It's highly likely the GPO configurations are partially wrong or not applied to them at all. You can then fix the GPO settings not applying issue and that should solve your issue.

Most of the Group Policy settings work well when BitLocker is initially enabled on a drive. However, if the computer doesn't comply with current Group Policy settings, BitLocker can be disabled or turned off. The scenarios can include what you've mentioned in the post, such as being unable to back up the BitLocker recovery key in AD, and consequently not encrypting the computer.

To view your GPO settings with the gpresult command, you can follow the steps below for a more detailed guide.

Step 1. Click on the Windows Start button and type in command prompt.

Step 2. Select the command prompt program and right-click on it. Choose Run as administrator.

Step 3. Type in the following command to view your Group Policy Settings.

gpresult/r

Step 4. You can see from the results whether the BitLocker GPO is applied. If it does, you should double-check by running the command below.

gpresult/h

If you find none of the settings in GPO are there on the bad computers, there are some possible fixes you can try to solve the GPO settings not applying issue besides using the gpupdate /force command.

  • Disable User or Computer Settings in Group Policy Object. 
  • Block Inheritance and Enforcement in Group Policy Link.
  • Use the Group Policy Modelling Wizard.
  • Enable Group Policy Preferences Debug Logging.

If nothing works after trying out all methods mentioned above, you can only manually save and back up the BitLocker recovery key in a safe location.

People Also Ask

Read More Questions

Read More Advice From iBoysoft's Computer Experts

how to encrypt USB on Mac and Windows

How to encrypt, password protect USB drive for Mac & Windows PC usage?

How to encrypt, password protect USB flash drive for Mac and Windows PC usage? With help of M3 Mac BitLocker Loader, BitLocker encrypted USB flash drive can be used for Mac and Windows PC.

Bitlocker Tips

turn off bitlocker

How to turn off or disable BitLocker encryption in Windows10?

This article will tell you five methods to disable or turn off BitLocker encryption in Windows 10.

Bitlocker Tips

format bitlocker drive

Format BitLocker Drive with or Without Password/Recovery Key

Reading this post to know how to format BitLocker encrypted drive on Windows and macOS. You can format BitLocker drive with or without password and recovery key.

How to Tips