Microsoft Enterprise Platforms Support: Windows Server Core Team
EPS Team Blogs
Product Team Blogs
Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover How to enable Bitlocker in Windows 7 and avoid one of the most common issues we see when enabling Bitlocker using GPOs.
A common problem we have seen since the release of Windows 7 has been in properly capturing the Bitlocker recovery keys in Active Directory. This is most likely due to incorrect policies settings for Bitlocker using GPO.
How to enable Bitlocker using GPO.
1. Open Group Policy Management Console and create a new Group Policy.
2. Right click on the policy and click Edit; you will see a Group Policy Management Editor window.
3. Expand Computer Configuration à Policies àAdministrative Templates à Windows Components à Bitlocker Drive Encryption.
You should see the below policy options for Bitlocker:
4. The policy we need to configure is: Provide Unique Identifiers for your organization.
5. Under the Fixed Data Drive section; Enable the below two policies as shown below. For more information on each policy refer to the Help tab for each policy.
6. Under the Operating System Drive section: Enable the below three policies as shown below. For more information on each policy refer to the Help tab for each policy.
· Require additional authentication at startup – Set this policy as per your requirement.
Configure TPM Startup; Configure TPM Startup PIN; Configure TPM Startup Key; Configure TPM Startup Key and PIN.
I f you want to use TPM + PIN as the startup type, see screen shot below.
7. Under the Removable Data Drives section: Enable the three policies as shown below. For more information on each policy refer to the Help tab for each policy.
8. Turn on TPM Backup to AD Domain Services.
In Group Policy Management Editor; Expand Computer Configuration à Policies àAdministrative Templates à System à Trusted Platform Module Service
Apply the policy to the specific OU or Domain where on the computers you want to be enable Bitlocker.
Run gpupdate /force on the client machine and run rsop.msc to see if the policies are applied.
If you don’t see the msFVE-RecoveryInformation in AD, most likely the policies are not set correctly. Also you can use Bitlocker AD Recovery Password Viewer to view the Recovery Password.
For a video walkthrough of the steps in this blog, check out the following video. NOTE: It’s best viewed in full-screen high resolution.
Manoj Sehgal Senior Support Engineer Microsoft Enterprise Platforms Support
This is the perfect post, exactly what I needed but the pictures are broken. Does anyone have the pictures or the info that was in them.
Great article. Viewed it, followed and it works great. Except for 2 people. For some reason, when I run manage-bde with the adblock flag, it returns the message: "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was not attempted." However, I was able to backup to the Active Directory everyone else in that group (OU and Security Group). I cannot find any difference between users or computers that would explain why for these 2 users the adbackup didn't work. Any clues you could give me or point in the direction of an answer?