Enable Bitlocker through group policy settings

In this article, I will share information about Bitlocker and group policy settings that used to deploy on client machines in Active Directory Environment. First lets know about Bitlocker, Microsoft defines Bitlocker : “ BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.”

Ref.: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

What are group policy settings for Bitlocker?

All group policy settings for Bitlocker are listed on: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

Below is scenario about steps to Enable BitLocker with Group Policy and backing up BitLocker recovery keys to Active Directory:

Create a new GPO, Edit it and browse to Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption. Enable the following Options:

  • Choose drive encryption method and cipher strength (Windows 10 Version 1511 and later)
  • Choose how users can recover BitLocker protected drives.
  • Store BitLocker recovery information in Active Directory Domain Services

Then browse Operating System Drives folder and enable the following:

  • Choose how BitLocker protected operating system drives can be recovered.

Then browse Fixed Drives folder and enable the following:

  • Choose how Fixed drives can be recovered.

The group policy settings should look like the below snapshot:

Windows 10 1809 and later versions will start the BitLocker process to encrypt drivers automatically.

To view the Bitlocker Recovery key on Active directory, follow below steps:

  1. Open Server Manager.
  2. Click Add Roles and Features.
  3. Click Next to continue wizard.
  4. On the Select features page, select “BitLocker Recovery Password Viewer” under Remote Server Administration ToolsàFeature Administration Tools àBitLocker Drive Encryption Administration Utilities.

You can view Bitlocker Recovery key from computer properties as below snapshot:

I published a video about Bitlocker recovery key on my YouTube channel, please review it and let me know if you have questions in comments:

Leave a Reply

%d bloggers like this: