1.) Confirm that TPM is activated in the BIOS of all workstations.
- All of these workstations are using Windows 10 Pro, which I believe automatically activates the TPM chip when the OS is installed right? I read that here https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-orga...
2.) Create GPO for Bitlocker settings and apply it to test OU
- I created a GPO that sets the drive encryption method and cipher strength (AES 256-bits) and makes AD store the recovery password as an attribute of the Computer object.
3.) Apply GPO to my test OU made up of three Windows 10 test machines I've set up.
- From my understanding so far, the GPO only contains the settings that should be applied once Bitlocker is enabled right? It doesn't enable Bitlocker encryption itself, so I can push a Powershell script to the three test machines and enable the encryption.
4.) Confirm that Bitlocker has been enabled on the test machines and that the keys are being stored properly in AD
5.) Continue deployment to live workstations in small groups to make it easy to troubleshoot problems.
This is the plan I've drawn up so far. I'm interested to know if I'm overlooking anything major? The goal is to have Bitlocker full drive encryption deployed to our workstations and store the recovery keys in AD. I also intend for this to be as no-touch as possible by using the GPOs and powershell scripts pushed by a remote management agent.
