Windows 11 Pro Bitlocker is not allowing save key to AD as an option

Question

Windows 11 Pro Bitlocker is not allowing save key to AD as an option

Anonymous

I have a GPO setup and has been working flawlessly for Windows 10 Pro. We are now starting to rollout Windows 11 Pro but having trouble getting Bitlocker to encrypt.

I've updated the SYSVOL with the latest admx files, I have verified the GPO is being applied with gpresults, but when I try to enable bitlocker it starts through the wizard, it verifies PC requirements, creates a recovery dirve, and when it asks me to backup my recovery key AD is not an option.

I was shocked it wasn't automatically encrypting to begin with. Our Windows 10 PC start encryption with the same GPO and store key to AD automatically.

***moved from Windows / Windows 11 / Security and privacy***

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

8 answers

Answer 1

Hello Charles_MH,

Thank you for posting in Microsoft Community forum.

It sounds like you're experiencing an issue with BitLocker and group policies on Windows 11. Here are a few steps you can take to troubleshoot and resolve this issue:

Verify BitLocker Group Policy Settings:

Ensure that the BitLocker policy settings are correctly configured for Windows 11 Pro.

You can try to put one Win 11 Pro to the same OU as Win 10 Pro.

Check group policy result.

For checking Computer Configuration within gpresult, we can follow steps below.

Logon this machine using administrator account.

Open CMD (run as Administrator).

Type gpresult /h C:\gpo.html and click Enter.

Open gpo.html and check gpo setting under "Computer Details".

3.Please check if the problem occurs on only one Win 11 Pro or all the Win 11 pro。

Review Event Logs:

Check the Event Viewer logs on the Windows 11 machines for any BitLocker-related errors or warnings. This can often provide more specific information about what might be going wrong.

Ensure Windows 11 Pro Compliance:

Ensure your Windows 11 devices meet all of the necessary prerequisites and system requirements for BitLocker to function correctly.

Testing on a New Policy:

Create a new GPO specifically tailored for one Windows 11 and test if applying this resolves the issue as a temporary measure. This helps in isolating whether the issue is with the existing GPO configurations.

Back up your BitLocker recovery key - Microsoft Support

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 2

Thanks for the reply but...

All the settings are in the pics in the first post and both Win10 and Win11 PCs are in the same OU
As stated above I've verified in the gpresults that the GPO is being applied
This only occurs on Win11 PCs
I do have 1 error that might be releated... "TPM-WMI" The Secure Boot update failed to update a Secure Boot variable with error The parameter is incorrect
New PC with TPM

Answer 3

Anonymous

I created a whole new GPO and I now I get the following options but still no AD...

Answer 4

Anonymous

Hello

Greetings!

I can see the five locations the key can be backed up, for more information, please read link below.

Back up your BitLocker recovery key - Microsoft Support

Best Regards,
Daisy Zhou

Answer 5

Anonymous

I know what those options are that I see but the one I DON'T see is Active Directory. I need AD as the option.

Share via

Windows 11 Pro Bitlocker is not allowing save key to AD as an option

8 answers