I’m working with MDT to load Windows 7 on laptops that need BitLocker. I have the TPM configured so that it’s enabled, activated, and owned; now I want to back up the recovery key to Active Directory. I have the Join Domain step near the end of the task sequence (with no reboot) so the domain logon message doesn’t interfere with software installs, so I figured I could create a local policy to backup to Active Directory and when the Enable BitLocker step executed, it would automatically backup the key to AD. That didn’t work (I guess it needs a reboot?), so I created a scheduled task that runs on system startup to back it up to AD.
I configured the local policy on a workstation using the settings from https://www.mcbsys.com/wp-content/uploads/2014/09/BitLocker-in-AD-1.png. I then used the LocalGPO from the Security Compliance Manager available here https://technet.microsoft.com/en-us/library/cc936627.aspx to backup the settings (thanks to http://woshub.com/backupimport-local-group-policy-settings/ for pointing me in this direction). I also created the scheduled task that runs the following on boot:
cmd.exe /c for /f “tokens=2” %i in (‘manage-bde.exe -protectors -get C:’) do manage-bde.exe -protectors -adbackup C: -ID %i
(I know this loops through a few lines that error out, but the end result is the key is backed up.)
I exported the scheduled task as an XML and added it to the %scripts% folder (actually a “CUSTOM” subfolder).
Right before the Join Domain step, I have the following:
“Configure Local Policy for BitLocker” runs an application that just uses the files created by LocalGPO:
cscript.exe GPOPack.wsf /silent
and the “Create task to backup BitLocker key to Active Directory” step is a “Run Command Line” that runs schtasks.exe and uses the XML file of the scheduled task:
schtasks.exe /create /tn “Backup Bitlocker Key to Active Directory” /xml “%SCRIPTROOT%\CUSTOM\Backup Bitlocker Key to Active Directory.xml”
After joining the domain with no reboot, the Enable BitLocker step runs and starts encrypting the disk. The workstation does a final reboot at the end of the task sequence and the scheduled task backs up the key to AD.