BitLocker Administrator's Configuration

Overview

BitLocker provides AD integration with Group Policy as well as solutions for backing up recovery information for encrypted drives to AD computer account objects. BitLocker offers an effective option for encrypted drives for IS and the tools to support the service for domain-joined workstations. Additionally, drive encryption may aid in protecting IS from FERPA violations.

Minimum requirements to enable BitLocker on a Windows-Based device

  • AD domain-joined (must be AD joined before encryption)
  • Windows 7/8 Enterprise or higher installed
  • Trusted Platform Module specification 1.2 (TPM)

Group Policy

Security Filter

Create an AD group to apply the Group Policy. This group will contain computer objects that you wish to encrypt with BitLocker

GPO Settings

Windows Components/BitLocker Drive Encryption/Operating System Drives

Policy Setting Comment
Allow enhanced PINs for startup Enabled  
Choose how BitLocker-protected operating system drives can be recovered Enabled setting
Allow data recovery agent Disabled
Configure user storage of BitLocker recovery information:
  Allow 48-digit recovery password
  Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for operating system drives Enabled
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled
Policy Setting Comment
Configure minimum PIN length for startup Enabled  
Minimum characters: 8
Policy Setting Comment
Require additional authentication at startup Enabled  
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) Disabled
Settings for computers with a TPM:
Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
 
Extra Registry Settings

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
 
Setting State
SOFTWARE\Policies\Microsoft\TPM\ActiveDirectoryBackup 1
SOFTWARE\Policies\Microsoft\TPM\RequireActiveDirectoryBackup 1

Active Directory Computer Object Permissions

TPM information backed up to Active Directory requires that computer account objects have the authorization to write information to the computer object attribute ms-TPMOwnerInformation. The SELF security principal is added and given write permissions to the computer object attribute ms-TPMOwnerInformation. This permission change should be made to affect all computer accounts eligible for BitLocker enabled and have TPM recovery IDs backed up for users if they lose/forget their TPM PIN.

These security permissions should already be applied to your Computers OU and its descendants. If you need assistance with configuring this, please submit a ticket for Active Directory Services.

Prepare the device for BitLocker

  • Enable TPM in BIOS and activate it
  • Set boot order to HDD first priority in BIOS
  • Verify TPM is specification 1.2 or newer.
    • You can do so by opening a Run prompt and launching tpm.msc. This will inform you of the status of TPM version, etc. If the TPM is of a specification older than 1.2, some features configured by BitLocker may not be supported.

Backing up recovery information to AD for devices that were encrypted prior to receiving the GPO settings

Laptops that turned on BitLocker prior to receiving the GPO settings will need to enter in some commands from an elevated Powershell prompt to push the recovery information for the machine up to Active Directory:

> import-module activedirectory

> manage-bde -protectors c: -get

You will receive output similar to this:

BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: [Windows]
All Key Protectors

Numerical Password:
ID:  {9557D616-0BD0-4B2A-8A2A-9DD4C5C21CCC}
Password:
 {527560-068585-114378-134288-010131-496430-662706-631224}

TPM:

ID:
 {5EB69F42-4ABC-4D6B-87C5-C894A3840FC4}

To backup the BitLocker information to AD, use:

> manage-bde c: -protectors -adbackup -id

Recovery information was successfully backed up to Active Directory.

View Recovery Information in Active Directory

In order to view the recovery tab in Active Directory Users and Computers, you will first need to install the BitLocker Recovery Password Viewer. The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can install this by adding the BitLocker Drive Encryption Administration Utilities feature under the RSAT Tools.

To install BitLocker Recovery Key feature:

  1. Go to Server Manager
  2. On Features Page select Remote Server Administration Tools
  3. Check BitLocker Drive Encryption Administration Utility
    1. Check BitLocker Drive Encryption Tools
    2. BitLocker Recovery Password Viewer

For additional information, visit the article BitLocker: Use BitLocker Recovery Password Viewer (from Microsoft Learn)

Details

Article ID: 95334
Created
Tue 1/7/20 3:43 PM
Modified
Mon 11/14/22 11:41 AM