3

I am experimenting with bitlocker deployment via AD at work. Have googled all over the internet, but the most useful reference seems to be:

Server 2012 R2, fully updated. Test client is Windows 7 Ultimate 64bit, fully updated.

For some reason, it's not working - How can I find out what's wrong? I created a GPO, linked it to an OU, joined the win7 machine onto domain, and moved the win7 machine into the OU. I would expect it (perhaps incorrect?) to simply start encrypting, and save the bitlocker recovery key into AD somewhere (not sure yet where to find that.) But it does nothing.

Checked in BIOS that the TPM is enabled. I tried '''gpupdate /force''' and rebooting the win7 machine ... But still, nothing.

  • Computer / Policies / Admin Templates / System / TPM Services
    • (Disabled) Turn on TPM backup to AD
  • Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption
    • (Enabled) Store bitlocker recovery info in AD (Server 2008 and Vista)
  • Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption / Operating System Drives
    • (Enabled) Enforce drive encryption on operating system drives

The first thing I notice is that it only says "2008 and Vista" ... Are there supposed to be some additional settings somewhere else for Win7 and 8?

Gosh, it would be really nice to find some way of diagnosing why it's not working, rather than guessing blindly... Also, if anyone has done this successfully and documented the process?

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Edward Ned Harvey
  • 512
  • 3
  • 6
  • 14
  • 5
    Windows 7 Pro does not have bitlocker. – quadruplebucky Feb 27 '14 at 00:00
  • @quadruplebucky is correct. For Windows 7 you'll need Enterprise or Ultimate to use BitLocker. Perhaps they'll consider making their comment into an answer. – jscott Feb 27 '14 at 01:21
  • Please follow up after joining a Win7 Ent or Ultimate to your domain and trying to enable bitlocker. Also, note that you don't 'Turn on Bitlocker from AD', as Bitlocker is not centrally managed in that regard. The only thing AD can do is backup the recovery keys, which can be forced through group policy. – MDMoore313 Feb 27 '14 at 04:06
  • 1
    Dang it! I am sorry. I have gotten used to Win 8 Pro having bitlocker, and I wrote this question wrong. I have Win 7 Ultimate, and it *does* have bitlocker. I apologize. When I go to control panel, and open Bitlocker Drive Encryption, it shows the C: drive is not encrypted, and I *could* click to Turn On Bitlocker, but obviously, I don't. – Edward Ned Harvey Feb 27 '14 at 11:55
  • @MDMoore313 Perhaps I'm just using it wrong then. Are you saying, that bitlocker won't automatically turn itself on as a result of group policy? But I can skip the step of saving the recovery key manually? I should actually *click on* the "Turn On Bitlocker" feature in control panel? And then the recovery key will be saved in AD automatically and start encrypting? I'll give that a try... – Edward Ned Harvey Feb 27 '14 at 11:58
  • Have a look here: http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx (Don't mind the title/url, it's a bit misleading...) – Robbietjuh Feb 27 '14 at 13:42

2 Answers2

2

A streamline was of managing bitlocker in your environment would be to consider a multi discipline approach.

Group Policy

Set your group policy to automatically backup the recovery key to active directory, and to not encrypt the computer if the recovery key isn't stored in AD. Also, if the users will be encrypting their own machines, disable prompting for PINs and Passwords, unless you use them in your environment.

Deployment

Create a plan for encrypting machines that are already in the environment, vs. newly built workstations. New workstations are easier typically, as bitlocker requires a system partition to exist on the workstation, for storing its bootloader. Depending on your imaging process this may or may not exist on your current workstations, and if not a separate step would have to be run to prepare the hard drive for bitlocker, but the command escapes me at the moment. The GUI will do it automatically and requires a reboot before continuing, I have to assume the command line is the same way. manage-bde can also be used to backup the recovery of machines that have already been encrypted, as in before your group policy was implemented, to active directory. Of course, you also have to take into account TPM chip enabling and activation when talking about an automated bitlocker deployment.

Maintenance/Disaster Recovery

Backing up recovery keys to Active Directory is okay, but it's gone when the computer account is blown away. No big deal if the machine has been disposed of, but could be a major issue if this was just a laptop that was off the network for a while, and got subject to an AD cleanup script. Powershell can be used to retrieve backup keys from active directory, if this is something you want to think about.

MDMoore313
  • 5,581
  • 6
  • 36
  • 75
0

As already stated you can't actually start the blocker encryption directly from within active directory.

It is possible to use a scheduled task on your laptops - which can be deployed via group policy preferences - to start the encryption process and pass in the required parameters.

You still want the group policy options for centrally managing the recovery keys in place. I ran scheduled taks like this before I had the recovery key policy in placeand locked myself out. Not fun. The group policy will make sure the scripted job meets the same rrequirements as starting via the GUI.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115