Group PolicyMicrosoftUncategorizedWindows 10

Deploying BitLocker | AD Server 2019 and Windows 10

I’ve been tasked with deploying bitlocker to our domain which consists of 800+ staff and over 5,500 students. So here I’ll document the process.

Install Server Feature

On your domain controller open the server manager and add roles and features. Under features install “BitLocker Drive Encryption” Just a note, you’ll need to reboot to complete installation.

Server Feature – BitLocker Drive Encryption

By default it should automatically include the utilities used to view them in AD.

BitLocker Recovery Password Viewer Feature

Create the Group Policy Object (GPO)

There seems to be a split between strictly using a GPO to deploy BitLocker or using the GPO in addition to a batch/PowerShell script to kick off the encryption. After playing with the deployment I’ve opted for not using a script as it just add more complexity that isn’t needed.

So, in my TEST OU (with my test computer) I’ve created a new GPO called “Deploy BitLocker” Edit the OU and lets configure the settings.

Browse to Computer Configuration > Policies > Administrative Templates> Windows Components > BitLocker Drive Encryption

Expanding group policy management editor – Computer Configuration > Policies > Administrative Templates> Windows Components > BitLocker Drive Encryption

ENABLE – Store BitLocker recovery information in Active Directory Domain Services

This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy

setting is only applicable to computers running Windows Server 2008 or Windows Vista.
If you enable this policy setting, BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker.

Navigate to the sub folder “Operating System Drives”. We’ll make changes to 3 settings here.

ENABLE Allow network unlock at startup

This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
If you enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors.

ENABLE Choose how BitLocker-protected operating system drives can be recovered.

The defaults should be fine except I would recommend checking “Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.

This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.

ENABLE Enforce drive encryption type on operating system drives.

This one is you’ll want to choose which best fits your organization. I’ve chosen “Full Encryption”

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

Now lets test!

With the computer in your TEST OU, you can either reboot it or open PowerShell (don’t forget to run as admin) and type in gpedit /force

Log out and back or reboot and go to This PC.

BitLocker is now enabled. Notice the padlock icon on the C: drive.

Another verification can be done via PowerShell.

Get-BitLockerVolume -MountPoint <drive letter>
Here we can see the status is fully encrypted and protection status is on.

Verify the key is in AD

Tip: You may need to restart the Active Directory Users and Computers program.

Find your test machine in AD, right click it and select properties. You should now have the “BitLocker Recovery” tab. If it worked, you should see the new Password ID and date.

If nothing showed up, verify on the test machine it received your new policy with gpedit /result. Also does the machine have TPM? If not you’ll need to make some more changes to the GPO to allow devices without TPM. We’ve decided to only deploy BitLocker to devices that support TPM.

Hope this helps as this was my first time deploying BitLocker.

Show More

Cory Fiala

Technology and outdoor enthusiast. Currently the sole systems administrator for a local K-12 school district with 800+ staff and 5,500+ students. I support windows servers (2012R2-2022), Linux systems (FreeBSD and Ubuntu), along with vSphere (4 node cluster). Total is almost 60 virtual machines and 8 physical servers. This doesn't include my personal homelab.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button