2

I am looking for help with creating a BitLocker policy through Group Policy. I have failed doing this myself and need help from those more experienced than I am.

Server: Windows Server 2012 Clients: Windows 7 Ultimate & they are Dell Laptops (2014) with TPM modules

  • Full local disk encryption
  • I want the boot up to be as simple as possible. I don't want the Users to have to enter a PIN at start up. The only protection I want is if the hard-drive is removed they won't be able to view the contents
  • Recovery keys should be stored in AD and manageable through there
  • Any USB drive plugged into the laptop needs to be BitLocker encrypted before use and these can be PIN protected (4 digit numeric PIN)

Is the above possible and can anyone help with the GPO settings.

I followed a number of guides and deployed a Policy but I could see error messages stating my GPO had contradictory settings or a similar message.

Thanks

James

jmoans
  • 23
  • 2

1 Answers1

0

Storing Keys in AD (make sure you've extended the schema - https://technet.microsoft.com/en-us/library/dd875533(v=WS.10).aspx) - Windows Components/BitLocker Drive Encryption - Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) - Require Bitlocker backup to AD DS - Enabled, Choose appropriate we use Select BitLocker recovery information to store: Recovery passwords and key packages

For hard drives, you have settings specific to the OS and other Fixed hard drives. Set both up as needed. Choose how BitLocker-protected operating system drives can be recovered - Configure user storage of BitLocker recovery information: Require 48-digit recovery password Allow 256-bit recovery key Omit recovery options from the BitLocker setup wizard: Enabled Save BitLocker recovery information to AD DS for operating system drives: Enabled Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: Enabled

Removable Drives (USB) - Windows Components/BitLocker Drive Encryption/Removable Data Drives Control use of Bitlocker on removable drives: Enabled Deny write access to removable drives not protected by Bitlocker: Enabled Allow users to suspend and decrypt BitLocker protection on removable data drives: Disabled Choose how BitLocker-protected removable drives can be recovered - Save BitLocker recovery information to AD DS for removable data drives: Enabled Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages Configure use of passwords for removable data drives (no PIN, but you can make the password 4 characters with complexity disabled, we don't): Enabled Configure password complexity for removable data drives: Allow password complexity Minimum password length for removable data drive: 8

E-Rock
  • 499
  • 3
  • 6
  • Thanks for your answer. I will not get to test this fully now as I am no longer involved. I appreciate your answer very much and have up-ticked it – jmoans Jan 26 '15 at 19:15