Microsoft Enterprise Platforms Support: Windows Server Core Team
Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover How to enable Bitlocker in Windows 7 and avoid one of the most common issues we see when enabling Bitlocker using GPOs.
A common problem we have seen since the release of Windows 7 has been in properly capturing the Bitlocker recovery keys in Active Directory. This is most likely due to incorrect policies settings for Bitlocker using GPO.
How to enable Bitlocker using GPO.
1. Open Group Policy Management Console and create a new Group Policy.
2. Right click on the policy and click Edit; you will see a Group Policy Management Editor window.
3. Expand Computer Configuration à Policies àAdministrative Templates à Windows Components à Bitlocker Drive Encryption.
You should see the below policy options for Bitlocker:
4. The policy we need to configure is: Provide Unique Identifiers for your organization.
5. Under the Fixed Data Drive section; Enable the below two policies as shown below. For more information on each policy refer to the Help tab for each policy.
6. Under the Operating System Drive section: Enable the below three policies as shown below. For more information on each policy refer to the Help tab for each policy.
· Require additional authentication at startup – Set this policy as per your requirement.
Configure TPM Startup; Configure TPM Startup PIN; Configure TPM Startup Key; Configure TPM Startup Key and PIN.
I f you want to use TPM + PIN as the startup type, see screen shot below.
7. Under the Removable Data Drives section: Enable the three policies as shown below. For more information on each policy refer to the Help tab for each policy.
8. Turn on TPM Backup to AD Domain Services.
In Group Policy Management Editor; Expand Computer Configuration à Policies àAdministrative Templates à System à Trusted Platform Module Service
Apply the policy to the specific OU or Domain where on the computers you want to be enable Bitlocker.
Run gpupdate /force on the client machine and run rsop.msc to see if the policies are applied.
If you don’t see the msFVE-RecoveryInformation in AD, most likely the policies are not set correctly. Also you can use Bitlocker AD Recovery Password Viewer to view the Recovery Password.
For a video walkthrough of the steps in this blog, check out the following video. NOTE: It’s best viewed in full-screen high resolution.
Manoj Sehgal Senior Support Engineer Microsoft Enterprise Platforms Support
So I have configured all of these settings and the TPM is saving to ADDS properly but the bitlocker information is not. In fact, I don't even see the MSFVE-RecoveryInformation in the Attribute section of the Object. I have removed both filters and it's not even in the list. I must have missd something. I appreciate this post regardless!!!
This is my last mile in getting the Win7 deployment process ready!!
The bitlocker recovery keys were not backuped in AD DS. Now I see what happened. I did not configure Windows 7 family settings for OS drive but the Windows Vista ones ;-(... I followed the Technet guide but seems not all settings are included for Windows 7. Testing the GPO and encryption in the next hours.
This is a good guide. where in the policy can i force the pin that will be using that is entered during start up ?
You can configure a policy under Operating System Drive to force a PIN.
The Policy is "Require Additional Authentication at Startup"
Enable the policy,
Under Configure TPM Startup, Select "Do not Allow TPM".
Under Configure TPM startup PIN: Select "Require Startup PIN with TPM"
Under Configure TPM Startup key: Select "Do not Allow Startup Key with TPM"
Under Configure TPM Startup Key and PIN: Select " Do not Allow Startup Key and PIN with TPM"
Apply the policy to client machine by running gpupdate /force,
Now a user has to use TPM + PIN.
If we have Group policy base on Window Server 2003, How we can do?
See the blog below which talks about GPO for WIndows Server 2003.
I'm trying to remote deploy bitlocker and force it to users. Is TPM enabled on bios by default or do I need to make a gpo to enable it first?
sir i need your help.
my external hard disk drive is lock with bitlocker drive encryption,i lost my password and recovery key too.my hdd contains lost of important data which is necessary for me i do not want to delete the data.kindly help me for unlocking the hdd.....
please mail me if there any solution of this problem.
my email firstname.lastname@example.org
Mr. Manoj, I had locked my Pen Drive using Bit Locker, which has sensitive data, but I have forgotten my Password, and since my Laptop had crashed it was formatted, so there is no Recovery Key, even though I try to search the same, how do I unlock my Pen Drive as I have my Account on the same an am desperate for the sam, PLEASE HELP....
I am using Windows 2008 R2 and the three folders: Fixed Date Drives, Operating System Drives and Removable Data drives do not show in the GP. Is this normal for ths OS
Please disreguard my previous comment...I had to add the Administrative templates for windows 7
Quite detailed information, very useful.
Can u guide for the documentation for the Test Cases for MBAM Transition, or links / cases to refer to prepare the documentation , Thanks n Regards,
Can u send the links / cases on email@example.com plz, regards,