Windows Active Directory Bitlocker deployment

11,385

A streamline was of managing bitlocker in your environment would be to consider a multi discipline approach.

Group Policy

Set your group policy to automatically backup the recovery key to active directory, and to not encrypt the computer if the recovery key isn't stored in AD. Also, if the users will be encrypting their own machines, disable prompting for PINs and Passwords, unless you use them in your environment.

Deployment

Create a plan for encrypting machines that are already in the environment, vs. newly built workstations. New workstations are easier typically, as bitlocker requires a system partition to exist on the workstation, for storing its bootloader. Depending on your imaging process this may or may not exist on your current workstations, and if not a separate step would have to be run to prepare the hard drive for bitlocker, but the command escapes me at the moment. The GUI will do it automatically and requires a reboot before continuing, I have to assume the command line is the same way. manage-bde can also be used to backup the recovery of machines that have already been encrypted, as in before your group policy was implemented, to active directory. Of course, you also have to take into account TPM chip enabling and activation when talking about an automated bitlocker deployment.

Maintenance/Disaster Recovery

Backing up recovery keys to Active Directory is okay, but it's gone when the computer account is blown away. No big deal if the machine has been disposed of, but could be a major issue if this was just a laptop that was off the network for a while, and got subject to an AD cleanup script. Powershell can be used to retrieve backup keys from active directory, if this is something you want to think about.

11,385

Edward Ned Harvey

Updated on September 18, 2022

Comments

Edward Ned Harvey over 1 year
I am experimenting with bitlocker deployment via AD at work. Have googled all over the internet, but the most useful reference seems to be:
- http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx
Server 2012 R2, fully updated. Test client is Windows 7 Ultimate 64bit, fully updated.

For some reason, it's not working - How can I find out what's wrong? I created a GPO, linked it to an OU, joined the win7 machine onto domain, and moved the win7 machine into the OU. I would expect it (perhaps incorrect?) to simply start encrypting, and save the bitlocker recovery key into AD somewhere (not sure yet where to find that.) But it does nothing.

Checked in BIOS that the TPM is enabled. I tried '''gpupdate /force''' and rebooting the win7 machine ... But still, nothing.
- Computer / Policies / Admin Templates / System / TPM Services
  - (Disabled) Turn on TPM backup to AD
- Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption
  - (Enabled) Store bitlocker recovery info in AD (Server 2008 and Vista)
- Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption / Operating System Drives
  - (Enabled) Enforce drive encryption on operating system drives
The first thing I notice is that it only says "2008 and Vista" ... Are there supposed to be some additional settings somewhere else for Win7 and 8?

Gosh, it would be really nice to find some way of diagnosing why it's not working, rather than guessing blindly... Also, if anyone has done this successfully and documented the process?
- quadruplebucky about 10 years
  
  Windows 7 Pro does not have bitlocker.
- jscott about 10 years
  
  @quadruplebucky is correct. For Windows 7 you'll need Enterprise or Ultimate to use BitLocker. Perhaps they'll consider making their comment into an answer.
- MDMoore313 about 10 years
  
  Please follow up after joining a Win7 Ent or Ultimate to your domain and trying to enable bitlocker. Also, note that you don't 'Turn on Bitlocker from AD', as Bitlocker is not centrally managed in that regard. The only thing AD can do is backup the recovery keys, which can be forced through group policy.
- Edward Ned Harvey about 10 years
  
  Dang it! I am sorry. I have gotten used to Win 8 Pro having bitlocker, and I wrote this question wrong. I have Win 7 Ultimate, and it does have bitlocker. I apologize. When I go to control panel, and open Bitlocker Drive Encryption, it shows the C: drive is not encrypted, and I could click to Turn On Bitlocker, but obviously, I don't.
- Edward Ned Harvey about 10 years
  
  @MDMoore313 Perhaps I'm just using it wrong then. Are you saying, that bitlocker won't automatically turn itself on as a result of group policy? But I can skip the step of saving the recovery key manually? I should actually click on the "Turn On Bitlocker" feature in control panel? And then the recovery key will be saved in AD automatically and start encrypting? I'll give that a try...
- Robbietjuh about 10 years
  
  Have a look here: blogs.technet.com/b/askcore/archive/2010/02/16/… (Don't mind the title/url, it's a bit misleading...)