TPM had to be reintialized: Does a new recovery password have to be uploaded to AD?
Solution 1:
When BitLocker encrypts a drive it keeps the master encryption key on the drive itself, though not in plain text. The master password is kept itself encrypted by "Protectors". Each of these keeps a separate copy of the master key as only the protector that encrypted it can decrypt that copy of the master key.
When you have Windows encrypt a volume through the GUI it typically creates two protectors: a Recovery Password (RP) and a TPM key. As noted above, these are stored completely separately. If you have the GPO configured each time a RP is create it is stored in AD. This is completely automatic and if you have the GPO configured a RP cannot be saved to disk without uploading to AD (ie, no offline RP creation as AD wouldn't be available).
I strongly suggest ditching the GUI. It glosses over the function of BitLocker too much for a system administrator, and the actual operation of BitLocker really isn't that complicated. The CLI utility manage-bde
comes with every version of Windows that supports BitLocker. It's pretty straight forward, though the syntax is a bit verbose.
To see what the laptop's drive is doing right now simply run manage-bde -status C:
. As for TPM issues, after unlocking the PC and booting Windows I always run manage-bde -protectors -get C:
, copy the ID for the TPM protector (including brackets), then run manage-bde -protectors -delete C: -id {the_id_you_copied}
and finally manage-bde -protectors -add C: -tpm
. It's 30 seconds more work, but you know exactly what it's doing, and exactly where you stand afterward.
Solution 2:
I know this is old, got here looking for something else, but in my experience the automatic upload to AD after a change like that isn't always successful. I've been bitten at work several times because of this. After the 2nd time getting bit, I decided to script the upload process to ensure it happens instead of depending upon the automagic upload process that is supposed to happen. Here is what I wrote (BitLocker_UploadToAD.cmd):
@Echo Off
cls
SETLOCAL
for /F "tokens=*" %%a in ('c:\windows\system32\manage-bde -protectors -get c: -type recoverypassword ^| findstr "ID: " ') DO SET ID=%%a
ECHO ID FOR DRIVE C IS: %ID%
ECHO.
ECHO REMOVING COLON AND ADDING HYPHEN TO BEGINNING...
ECHO.
set ID=-%ID::=%
ECHO NEW VALUE:
ECHO %ID%
ECHO.
ECHO BACKING UP TO AD...
c:\windows\system32\manage-bde -protectors -adbackup c: %ID%
ECHO.
ECHO DONE (PLEASE CHECK AD TO VERIFY IT WORKED)
PAUSE