question

MikeLehmann-8939 avatar image
0 Votes"
MikeLehmann-8939 asked MTG-3890 answered

Enabling Bitlocker via GPO

I need to enable bitlocker in an on-prem AD environment, I've set up a gpo with typical settings, with upload key to AD etc.

I am finding that some devices are enabling Bitlocker automatically, some arent. All the newer 20H2 builds seems to be enabling automatically, but not so much the older ones. I know this can be scripted but I'd prefer to let the gpo to the work if possible.

Just wanted to know what the difference between the versions is, all are Win10 pro of various builds and why it works automatically on 20H2 but not 1908 for example

windows-10-securitywindows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @MikeLehmann-8939

Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).

BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.

It works automatically on 20H2 but not 1908 for example because TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.

Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the Status heading. You can also run Get-TPM** in PowerShell to get more details about the TPM on the current computer.

For a further idea on BitLocker Group Policy settings

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikeLehmann-8939 avatar image
0 Votes"
MikeLehmann-8939 answered

The issue I face now is most of the users are WFH. I have a gpo that enabled bitlocker and it also installes a scheduled task to run the script on those that it doesnt automatically activate on but this doesnt work well if the computer isnt connected to the network always. By the time the user logs on, starts the vpn, the sched task has already been an gone and it won't enable bitlcker unless the recovery key can be backed up to AD
Is there a better solution for remote clients? I dont really want to be running the enable bitlocker script on the computers every hour incase they connect to VPN at some point

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MTG-3890 avatar image
0 Votes"
MTG-3890 answered MikeLehmann-8939 commented

"this doesnt work well if the computer isnt connected to the network always" - set the task option as my screenshot shows, but instead of "any connection" use your domain coninection and combine it with the option (see screenshot 2) "Run the task as soon as possible after a scheduled start is missed"
129863-capture.png
129873-capture2.png



capture.png (20.4 KiB)
capture2.png (19.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks.

I can't choose anything other than 'Any connection' in that network dialogue. I have it running now with three triggers, at login, at idle, and when task is applied/modified. This seems to be catching most computers. I still need to cater for ones that are in the office connected to lan also which will be connected and probably never reboot.

What I am finding though is that since I added this scheduled task into the script, the gpo part no longer takes effect. previously, computers that were new builds with TMP 2.0 would automatically encrypt immediately on the gpo settings alone. Since I added the scheduled task, they now wait for the conditions of the task to be met before encrypting. I don't really understand this as the two should have nothing to do with each other, but I often find gpo works inconststently on Windows10

0 Votes 0 ·
MTG-3890 avatar image
0 Votes"
MTG-3890 answered

BL does not enable itself automatically, unless a Microsoft account is in use, since only then, the recovery password can be saved to the cloud. No MS account ->no cloud access ->no auto-BL. It's not inconsistent anywhere here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.