I have configured BitLocker and TPM settings in Group Policy such that all the options are set and the recovery keys stored in Active Directory. All our machines are running Windows 7 with a standard corporate image and have their TPM chips enabled and active in the BIOS.
My goal is to make it so that all the user must to do is click Enable BitLocker and away it goes. Microsoft even provides automation samples that can be deployed via script. But there is one small hiccup to making this a smooth process.
In the GUI, when the user enables BitLocker, it must initialize the TPM with an owner password which gets generated automatically. However, the recovery password is displayed to the user and they are prompted to save it to a text file. I can't seem to suppress this dialog and the step cannot be skipped. This is an unwanted (and unnecessary) prompt as the key is backed up to AD successfully.
If I script the deployment, I must supply the owner password in the script when I initialize the TPM and I want it to be randomly generated the way the GUI does.
Is there any way to make a BitLocker deployment truly zero-touch the way I want it?
You can do this via Group Policy. If you have already configured the recovery keys/packages to be backed up to AD, then all you need to do is check the "Omit recovery options from BitLocker setup wizard" checkbox on the same screen where you configured backup to AD. This setting is per drive type - OS, Fixed, and Removable. If you're encrypting more than just the OS drive, you need to set the policy in each node in Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. Remember that this checkbox only removes the page from the wizard. If you additionally want to prevent your users from exporting the recovery keys post-encryption, you have to dis-allow both recovery options as well.
Also, pay attention to what platform these policies are supported on. There are two sets of policy settings here, one for Vista/Server2008 and one for 7/Server2012 and newer. If you're still using Vista, you need to use the "Choose how users can recover BitLocker-protected drives" policy and set both methods to Not Allowed, then set the "Store BitLocker recovery information in Active Directory Domain Services" policy to Enabled.
Have you tried looking at the Microsoft BitLocker Administration and Monitoring? It is a quiet service that you run remotely on the computers. Taking from this source:
It contains the necessary things you are wishing, for instance, no-touch deployment on the end-users side and have it ideally in one console.
Hope this helps!
P.S. TPM needs to be active in order for the MBAM to work.