+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows 7 Thread, BitLocker driving me crazy in Technical; Hiho, Bitlocker is starting to give me a headache.. Been trying to sort it out for the last day and ...
  1. #1

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35

    BitLocker driving me crazy

    Hiho,

    Bitlocker is starting to give me a headache..
    Been trying to sort it out for the last day and a 1/2 and I've still got problems and starting to struggle.
    I want to encrypt client devices and USB drives with bitlocker and have the recovery details backed up to AD.

    Let me explain what I've done so far.

    1) I've updated the schema and installed the bit locker viewer feature = Success
    2) I ran the command " Cscript Add-TPMSelfWriteACE.vbs " to add the permission so the TMP recovery information can be backed up. This ran successfully, however when looking at the security of the OU's in AD I noticed the permission wasn't set.
    I delegated control of the OU and added the permission to overcome this ( Think the permission required was called "Write msTPM Owner" to the SELF user) I delegated control at the top OU and the permission has filtered down to the OU's below... however the permission hasn't been set on the computers in the OU and I don't know why.
    This was causing a problem and giving me an error when trying to encrypt a laptop because the TPM failed to back up to AD. I fixed this by once again manually adding the permission to client in AD, however I shouldn't have to do this.

    3) I have a GPO for bitlocker set correctly to ensure all is backed up to AD
    4) Now after manually adding the permission for TPM backup, the encryption method tried to move on to the next step and start encrypting the drive, but then I get an error " Access is denied "

    I'm attempting this from a domain admin account..
    I do get an error in event viewer ( cant access the computer with the log so will try to find it online )

    Has anyone got a similar set-up as I'm trying to achieve and can offer any advice?
    I've done lots of searching around online, and testing settings etc. however nothing seems to fix my problem.

    Many thanks
    Last edited by ihaveaproblem; 23rd November 2011 at 05:25 PM.

  2. #2
    markcuk's Avatar
    Join Date
    Sep 2005
    Posts
    586
    Thank Post
    29
    Thanked 60 Times in 55 Posts
    Rep Power
    38

  3. #3

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35
    Yup, many times. I'll have another read now incase I'm missing something.

  4. #4

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35
    This is the error I get in event viewer
    Event ID 514

    Tried the suggestions with no luck

  5. #5
    markcuk's Avatar
    Join Date
    Sep 2005
    Posts
    586
    Thank Post
    29
    Thanked 60 Times in 55 Posts
    Rep Power
    38
    is the computer or laptop definitely joined to the domain? you could try rejoining it cannot find much else to be honest

    this guide shows a bit more http://www.windowsecurity.com/articl...ker-Part2.html
    Last edited by markcuk; 23rd November 2011 at 06:12 PM.

  6. #6

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35
    100% on domain =]
    Can access network resources, netlogon, ping dns servers/ dc's and everything else.

  7. #7

    Join Date
    Nov 2010
    Location
    Sydney, Australia
    Posts
    24
    Thank Post
    3
    Thanked 2 Times in 2 Posts
    Rep Power
    8
    Just a quick thought, does your HDD already have the system partition? Before it starts encrypting it needs to create a system boot partition by resizing your main partition. If you have some sort of boot sector protection enabled in BIOS it may prevent this from working.

  8. #8
    jamesreedersmith's Avatar
    Join Date
    Sep 2009
    Location
    Ruskington
    Posts
    1,166
    Thank Post
    78
    Thanked 258 Times in 230 Posts
    Rep Power
    78
    Does the laptop have a TPM module installed?

  9. #9

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,784
    Thank Post
    3,291
    Thanked 1,054 Times in 975 Posts
    Rep Power
    365
    when you are encrypting the laptop are you logged in with a domain admin account ?

    As above the TPM / security settings are enabled in the bios and after rebooting it has been on Lenovo laptops we have prompts to press F10 to enable the TPM chip and you log back in using the same domain admin account and then it should prompt you with the encryption dialog once logged in and you go through this

    Also when do you get the error(s) if any or is this you physically going into the event viewer to find the above mentioned error id ?

    As a side note we have had some Lenovo Laptops with a faulty TPM chip and have had to get Lenovo to swap the motherboard on said laptops, you get as far as enabling the tpm chip by pressing F10, logging back in and it gives some error about not being able to encrypt the drive and then reboots again and you press F10 to disable the TPM chip.

    Also might be worth while being physically connected to the domain / network aka not on wireless. Are there any security groups the laptop is meant to be a member of or any group policies that need to apply ? If so then gpresult and gpupdate /force etc may come in handy and also checking the computer object in AD has the correct security groups if they are required / needed ?

  10. #10

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35
    Thanks all.
    Laptop has the partition I beleive. The hard drive has two paritions, the small 100mb system reserved partition and then the main parition ( The default windows 7 makes when formating )
    Laptop has a TPM module and it's enabled. One of the first steps during the bitlocker process I get asked to reboot and then it gives me a message saying 'press f10 to enable TPM"
    GPO has applied correctly, and also the user account i'm using is a member of the domain admins. All security groups look correct to me.
    I did try using wired instead of wireless, but again, unfortuantly no luck.
    The errors I get from are event viewer, i'll check them again to make sure the one I posted last night was correct

  11. #11

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35
    These are the two errors from event viewer


    event id 24624
    BIOS/TCG Memory Overwrite Control: Error changing value.
    event id 514
    Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.
    Errorcode: 0x80070005

  12. #12

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35
    Sorry for triple post..
    The same problem occurs if I try to encrypt a USB drive.
    I enter a password for the drive, and then it moves on and asks me to start encrypting. I tell it to start and then it looks as if it's going to run, but then gives access is denied.
    In event viewer I get the exact same log about failing to backup to AD.
    It must be that AD isn’t configured correctly to accept backups? I really don’t know why though as I’ve done everything it says in the instructions.

  13. #13
    markcuk's Avatar
    Join Date
    Sep 2005
    Posts
    586
    Thank Post
    29
    Thanked 60 Times in 55 Posts
    Rep Power
    38
    maybe bios update

    another guide Enable BitLocker, Automatically save Keys to Active Directory | Concurrency Blog

    found this

    Before configuring these settings, you need to ensure that the Active Directory schema has the necessary storage locations and that access permissions have been granted to perform the backup. I would like to confirm that did you extend the schema via BitLockerTPMSchemaExtension.ldf and set the required permissions via Add-TPMSelfWriteACE.vbs successfully? You may check if the following BitLocker schema extensions are contained in Active Directory schema:



    • ms-FVE-RecoveryPassword

    • ms-FVE-RecoveryGuid

    • ms-FVE-VolumeGuid

    • ms-FVE-KeyPackage



    After that, please make sure that the GPO is linked to OU, Domain or Site which contains the Windows 7 computers. Please note, GPO cannot be linked to other containers.



    Next, please verify if the policy is working on the clients as “Florian Frommherz” mentioned. Please run the command: gpresult /v on the Windows 7 clients to check if the GPO is applied successfully.
    Last edited by markcuk; 24th November 2011 at 01:06 PM.

  14. #14

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    35
    Schema is there.
    Looked on the dc and here is a screenshot of what I see
    2.PNG1.PNG

    Already ran "cscript Add-TPMSelfWriteACE.vbs" a few times and said it was succesful
    OU structure is similar to this.
    Domain --- Managed Computers --- Student
    ----Staff -- Laptop
    -- Desktop
    I've delegated the permissions on the managed computers OU to give the permissions for "msTPM-OwnerInformation" to 'SELF'( OU's below inherit this permission, however if I check computer objects they don't and I have to manually add the permission )
    GPO is applied to the Managed Computers OU and computers are getting the settings. GPRESULT has been ran to confirm this + If I change a bitlocker setting and run GPUPDATE the change takes effect.

    If I remove the policy forcing the recovery keys to be backed up to AD I get no errors, but then of course AD is not backing these up.

  15. #15

    Join Date
    Jan 2012
    Location
    Canada
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I am going crazy as well, why the GPO is NOT being applied yo usay 'it cannot be linked to other OU's? Calrify please are you saying only one Bilocker GPO per OU, cannot use same GPO for multiple OU's? I have set it to enforced on two OU's it does NOT seem to get applied.
    Also get error...
    Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.
    Errorcode: 0x80005000
    Protector GUID: {724ff397-cae6-4fa9-8291-6dfb87cf286e}
    Volume GUID: {0fd29116-955d-4429-8fc5-a9ff41986586}
    Last edited by Poomba1; 12th January 2012 at 08:13 PM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. GPP Mapped Drives (driving me crazy)
    By andy_whitlock in forum Windows Server 2008 R2
    Replies: 8
    Last Post: 18th August 2010, 08:48 PM
  2. VNC Problem, Driving me crazy!!
    By jj99 in forum Windows
    Replies: 3
    Last Post: 19th March 2009, 02:09 PM
  3. LanView3 in driving me CRAZY
    By m1ddy in forum Network and Classroom Management
    Replies: 1
    Last Post: 17th June 2008, 10:15 PM
  4. HP Wireless driving me nuts
    By plexer in forum Wireless Networks
    Replies: 6
    Last Post: 8th December 2006, 09:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •