I am experimenting with bitlocker deployment via AD at work. Have googled all over the internet, but the most useful reference seems to be:
Server 2012 R2, fully updated. Test client is Windows 7 Ultimate 64bit, fully updated.
For some reason, it's not working - How can I find out what's wrong? I created a GPO, linked it to an OU, joined the win7 machine onto domain, and moved the win7 machine into the OU. I would expect it (perhaps incorrect?) to simply start encrypting, and save the bitlocker recovery key into AD somewhere (not sure yet where to find that.) But it does nothing.
Checked in BIOS that the TPM is enabled. I tried '''gpupdate /force''' and rebooting the win7 machine ... But still, nothing.
- Computer / Policies / Admin Templates / System / TPM Services
- (Disabled) Turn on TPM backup to AD
- Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption
- (Enabled) Store bitlocker recovery info in AD (Server 2008 and Vista)
- Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption / Operating System Drives
- (Enabled) Enforce drive encryption on operating system drives
The first thing I notice is that it only says "2008 and Vista" ... Are there supposed to be some additional settings somewhere else for Win7 and 8?
Gosh, it would be really nice to find some way of diagnosing why it's not working, rather than guessing blindly... Also, if anyone has done this successfully and documented the process?
A streamline was of managing bitlocker in your environment would be to consider a multi discipline approach.
Group Policy
Set your group policy to automatically backup the recovery key to active directory, and to not encrypt the computer if the recovery key isn't stored in AD. Also, if the users will be encrypting their own machines, disable prompting for PINs and Passwords, unless you use them in your environment.
Deployment
Create a plan for encrypting machines that are already in the environment, vs. newly built workstations. New workstations are easier typically, as bitlocker requires a system partition to exist on the workstation, for storing its bootloader. Depending on your imaging process this may or may not exist on your current workstations, and if not a separate step would have to be run to prepare the hard drive for bitlocker, but the command escapes me at the moment. The GUI will do it automatically and requires a reboot before continuing, I have to assume the command line is the same way.
manage-bde
can also be used to backup the recovery of machines that have already been encrypted, as in before your group policy was implemented, to active directory. Of course, you also have to take into account TPM chip enabling and activation when talking about an automated bitlocker deployment.Maintenance/Disaster Recovery
Backing up recovery keys to Active Directory is okay, but it's gone when the computer account is blown away. No big deal if the machine has been disposed of, but could be a major issue if this was just a laptop that was off the network for a while, and got subject to an AD cleanup script. Powershell can be used to retrieve backup keys from active directory, if this is something you want to think about.
As already stated you can't actually start the blocker encryption directly from within active directory.
It is possible to use a scheduled task on your laptops - which can be deployed via group policy preferences - to start the encryption process and pass in the required parameters.
You still want the group policy options for centrally managing the recovery keys in place. I ran scheduled taks like this before I had the recovery key policy in placeand locked myself out. Not fun. The group policy will make sure the scripted job meets the same rrequirements as starting via the GUI.