This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 34%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hi,
I am in process of planning a BitLocker deployment in our environment.
As a small company, we do not have SCCM but our devices are all in our doamin.
This is the first time I am doing this and I would few suggestions on how to deploy and what we need to provide bitlocker key whenever we need so then it unlocks the device.
What type of server do we need? What steps do I need to take? Is it possible to deploy via group policy? Or can I deploy using powershell script?
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 49%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELF%3C/text%3E%3C/svg%3E)
Hi,
Firstly you will need to make sure your devices are able to be encrypted, this requires them having a TPM (Trusted Platform Module) and it being activated. You could send out a powershell script with Get-tpm and this will return whether or not the tpm is ready and the device can be encrypted.
Both options work but i would suggest group policy as your main way to deploy this as it would be alot more reliable. If your in group policy, you need to browse to Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption. Once your there it will give you three different sub folders of OS drives, removable drives and fixed data drives, its entirely upto you which settings you want enforced but within there you can choose which drives you can encrypt and you can also choose to backup the recovery key to your activ directory for when it is needed. Hope this helps!
If you don't have contracts with Microsoft that let you use MBAM, please read https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html?preview=hG26jVC1xow%3D to see a scripted solution for deployment.