Skip to content

Enabling Bitlocker on Operating System Drive

Bitlocker Proof of Concept:

  • Only TPM encryption (TPM version 1.2 or never)
  • Windows 10 (version 1511 or later)
  • Only OS Drive (C:)
  • Only Used space encryption
  • Configured with Group Policy
  • Recovery keys automatically stored in Active Directory
  • Management tools installed on remote desktop server
  • Test Computers = computer1, computer2
  • OU = Laptops
  • GPO = Bitlocker OS Drives

Technical Documentation

1. To manage Bitlocker recovery keys I have enabled the Windows Features on a management-tool remote desktop server:  (or You can use RSAT tools on your client PC)

Remote Server Administration Tools:

  • Bitlocker Drive Encrytption Administration Utilities
    • Bitlocker Drive Encryption Tools
    • Bitlocker Recovery Password Viewer

 

 

Group Policies

2. On Client computers (Windows 10 version 1511), Bitlocker is configured by Group Policy

  • Bitlocker OS Drive – Bitlocker OS
  • Bitlocker Removable Drives – Bitlocker removable

Group policy settings

Computer Configuration (Enabled)

Policies

Administrative Templates

Policy definitions (ADMX files) retrieved from the central store.

Windows Components/BitLocker Drive Encryption/Operating System Drives

Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Windows Components/BitLocker Drive Encryption/Operating System Drives
Policy Setting Comment
Choose how BitLocker-protected operating system drives can be recovered Enabled
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Enabled
Save BitLocker recovery information to AD DS for operating system drives Enabled
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled
Policy Setting Comment
Enforce drive encryption type on operating system drives Enabled
Select the encryption type: Used Space Only encryption
Policy Setting Comment
Require additional authentication at startup Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) Disabled
Settings for computers with a TPM:
Configure TPM startup: Allow TPM
Configure TPM startup PIN: Do not allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
 User Configuration (Disabled)
No settings defined.
 3.  Move test PC’s to OU consoto.com/Business Objects/Laptops

 Once moved, restart PC to run Computer Group Policies.

 

4. Before enabling BitLocker it is important that the TPM chip is ready and compliable.

All queries must answer “True” for BitLocker encryption to succeed.

5. Enable Bitlocker on PC by right clicking C:\ drive and choose “Enable Bitlocker”  or by running powershell command:

Enable-BitLocker -MountPoint “C:” -UsedSpaceOnly -RecoveryPasswordProtector

This will enable Bitlocker and start encrypting if TPM chip has passed tests during a reboot

 

6. Recovery keys are stored in Active Directory on Computer Object.

adkeys1

adkeys2

 

Published inBitLockerIT

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *