So the setup is that we have a bunch of laptops for staff which connect to Windows Server (2012) AD. We have an AD group (I didn't set it up so not 100% sure of policies set) that allows Bitlocker keys to be stored for each device and forces users to Bitlocker USB keys before they can copy onto them. Sometimes there seems to be a glitch, so one of 2 things will happen:
- The normal way (the way it should be): We want to move a device onto Bitlocker (this could be after a fresh install or a device that has just not been on Bitlocker in the past), so we put that device in the AD group, then log out and log back into windows on the device. We then right click on C: and choose turn Bitlocker on, and it takes us through the setup. If the policies have taken, it won't ask us to insert a flash drive etc to backup the key as it goes to the server. It will then take a while to encrypt the drive (of course faster with an SSD, the devices with HDD's take ages).
- We use the same method, however, after moving the device to the AD group, we log back in and it says the drive already has Bitlocker turned on.
For the second option, this has happened even on new installs (so I know Bitlocker has never been enabled) and happens instantly (even for HDD's). This to me seems that while it is reporting that Bitlocker is enabled, is it actually? Plus, because we don't get the wizard when it is turned on, we don't get the option to encrypt the entire drive, so I am guessing any data that was on the drive before the Windows reinstall (if it wasn't Bitlockered before the reinstall) would not be protected (if someone did a full recovery on the drive looking for deleted files). Has anyone else experienced this and has anyone done any tests to see if the data is encrypted?
