Bitlocker Proof of Concept:
- Only TPM encryption (TPM version 1.2 or never)
- Windows 10 (version 1511 or later)
- Only OS Drive (C:)
- Only Used space encryption
- Configured with Group Policy
- Recovery keys automatically stored in Active Directory
- Management tools installed on remote desktop server
- Test Computers = computer1, computer2
- OU = Laptops
- GPO = Bitlocker OS Drives
1. To manage Bitlocker recovery keys I have enabled the Windows Features on a management-tool remote desktop server: (or You can use RSAT tools on your client PC)
Remote Server Administration Tools:
- Bitlocker Drive Encrytption Administration Utilities
- Bitlocker Drive Encryption Tools
- Bitlocker Recovery Password Viewer
2. On Client computers (Windows 10 version 1511), Bitlocker is configured by Group Policy
- Bitlocker OS Drive – Bitlocker OS
- Bitlocker Removable Drives – Bitlocker removable
Group policy settings
Computer Configuration (Enabled)
Policy definitions (ADMX files) retrieved from the central store.
Windows Components/BitLocker Drive Encryption/Operating System Drives
|Choose how BitLocker-protected operating system drives can be recovered||Enabled|
|Enforce drive encryption type on operating system drives||Enabled|
|Require additional authentication at startup||Enabled|
Once moved, restart PC to run Computer Group Policies.
4. Before enabling BitLocker it is important that the TPM chip is ready and compliable.
All queries must answer “True” for BitLocker encryption to succeed.
5. Enable Bitlocker on PC by right clicking C:\ drive and choose “Enable Bitlocker” or by running powershell command:
Enable-BitLocker -MountPoint “C:” -UsedSpaceOnly -RecoveryPasswordProtector
This will enable Bitlocker and start encrypting if TPM chip has passed tests during a reboot
6. Recovery keys are stored in Active Directory on Computer Object.