Howdy folks,
OK - so we're looking to implement Windows BitLocker on all of our company laptops here in the building. All I'm really wanting to do is make sure all BitLocker information (and TPM information as that can come in handy) is backed up to Active Directory.
Here are the steps I've done so far (sorry if this is long winded):
- I have two Windows 2008 domain controllers. As such, Microsoft reports that their schemas by default support BitLocker data to be backed up (as they are extended by default, if I read the TechNet correctly)
- Applied the ACL script to give permissions to computers to update their own scheme in Active Directory with their BitLocker information.
- Updated my GPMC to use a Central Store and copied over a VolumeEncryption.admx from a Windows 7 machine into the store - so I can now correctly assign GPOs for BitLocker.
- Created a GPO that forces the keys to be backed up to Active Directory (and prevent them from utilizing BitLocker until the keys are backed up)
Based on all of these steps, it appears I made a rookie mistake. It appears the above settings will work fine for a Windows 7 client machine - but the machine I'm of course testing on is a Windows 8 Enterprise laptop (most everyone in the building is Windows 7 - but we're looking to get them upgraded to 8 here late summer).
When I go to enable BitLocker, I get a nasty error reporting that the object is not available on the server when trying to initialize TPM. Further reading shows that I need to extend the AD schema as the way BitLocker backs up the information has changed in Windows 8 - per the following TechNet article:
http:/
Here's my boggle - can I use the .ldf files given in the above link to extend the schema in a Windows 2008 environment - or is this going to force me to upgrade my DCs to Windows 2008 R2 (or 2012)? I haven't been able to locate a definitive answer and was wondering if any Spicehead is currently utilizing BitLocker backup to AD in a 2008 environment.
It sounds like I'm so close to getting it functional - but need more experienced minds to double-check what I'm trying to perform here.
Any help greatly appreciated!