This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 27%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFC%3C/text%3E%3C/svg%3E)
Hi all,
Inside company I would manage Bitlocker for Windows 10 Clients using Group Policy.
I have already installed role to manage BitLocker on my domain controller.
After that I create a new Group Policy (You can see it in the picture):
In my case there are in this moment more than 50 laptops inside comany. Before IT Support encripted drive directly from Windows 10 PC and store all recovery keys in a shared folder. I would remove this practice to avoid mistakes.
My goal is:
In this moment, any computer profile, is empty about Bitlocker Information:
How can I do it?
What happen if I enable GPO for all computers and all computers in this moment has got BitLocker enabled?
Best regards
Federico
@Federico Coppola
Hi,
Based on my research, the "Used Space Only" will be much more efficient than full encryption and the new added data will be encrypted automatically but the deleted data before the encryption won't be protected.
If this is a new drive, there is no need to change the encryption mode.
Also, I think you could follow the guide below:
https://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
@Federico Coppola
Hi,
automatically encrypt all Operating System Drive
You set the options through GPO but to actually enable you need to run a script.
You may refer to the following link for details:
https://www.reddit.com/r/sysadmin/comments/aburax/how_to_enable_bitlocker_via_gpo/
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Can I see actual recovery of all laptops in Active Directory?
Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer.
To complete the procedures in this scenario:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer
If I enable GPO for all computers and all computers in this moment has got BitLocker enabled.
If a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
For your reference:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings
Hope above information can help you.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Jenny Feng
Thanks for your reply!
Sorry but I not undestand some steps:
You set the options through GPO but to actually enable you need to run a script.
Until yesterday, Bitlocker Windows 10 function was always manually enabled on PCs after joining them to the domain.
Activation has always been done by:
Start> Manage Bitlocker
I admit that the bitlocker was often activated usung
I usually save recovery key on a document file.
Should I run the script to convert bitlocker mode (from Encrypt used disk space only to Encrypt entire drive)?
Domain administrators can view the BitLocker recovery password by
using the BitLocker Recovery Password Viewer.
I already enabled it from Server Manager (I installed roles about bitlocker on Domain Controller).
If a Group Policy setting was changed after the initial BitLocker deployment in
your organization, and then the setting was applied to previously encrypted
drives), no change can be made to the BitLocker configuration of that drive
except a change that will bring it into compliance.
Ok.
In my case I have all laptop encrypted manually from Control Panel menu.
From now I would avoid to it manually, but automatically.
After that I would see actual recovery key of all laptop inside Active Directory.
In this moment, all computer tab about Bitlocker is empty (I did not apply GPO yet).
Is there a way that permit me to have inside Active Directory, all computer recovery key already encrypted by BitLocker?
I hope to be clear.
Federico
Thanks so much for your help!
Best regards
If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.