0

Win10 PCs, 2012R2 domain

I'm rolling out bitlocker to clients and I'm trying to restrict the options in the bitlocker wizard as much as possible.

I do need users to run the wizard so they can set a pin, but I don't want users to be prompted where/how to store their recovery key. I already have it setup to backup the keys to AD as well as "require bitlocker backup to AD" so I know they are safe. I don't expect them to keep track of their copy of the key anyway and that's also a possible security risk.

Is there a policy that prevents this prompt in the bitlock setup wizard?

red888
  • 4,183
  • 18
  • 64
  • 111

1 Answers1

2

I believe you are looking for the "omit recovery options from the BitLocker setup wizard" policy setting.

Best Practices for BitLocker
https://technet.microsoft.com/en-us/library/dd875532(v=ws.10).aspx

Policy: Choose how BitLocker-protected removable drives can be recovered

Set to enabled, save BitLocker recovery information to AD DS for removable data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82