Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. See the following guide on how to enable FileVault disk encryption on a Mac device and BitLocker Drive Encryption architecture and implementation scenarios.
BitLocker can also be configured through Group Policy settings. This is particularly useful for organizations that have a compliance mandate to enable BitLocker encryption for all endpoint devices. You can also use MBAM (Microsoft Bitlocker Administration and Monitoring), SCCM (Microsoft System Center Configuration Manager), or Intune to roll out Bitlocker to your users. You may be interested in some of the articles I have written regarding “Insight on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption“. Since I have tested an FDE solution with PBA, kindly take a look at how to download and install DriveLock. BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC). Let’s walk through a few simple steps on how to configure Bitlocker with Group Policy.
Part A: Via the Local Group Policy Editor: To get started, launch the Local Group Policy Editor as shown below.
– Note: You can also search for “gpedit.msc” from the Windows search box
This will open up the Local Group Policy Editor and please navigate through as shown below.
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
In the right pane, double-click Require additional authentication at startup. A pop-up box will open. Make sure the Enabled option is selected for all of the other options listed below to be active. For more on this, see this guide “how to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM”.
Note: If you do NOT want to configure BitLocker to support devices without TPM, you can clear the "Allow BitLocker without a compatible TPM" check box.
- For the “Configure TPM start:” option, select “Allow TPM”.
- For the option “Configure TPM system start PIN:” select “Start PIN required for TPM”.
- For the “Configure TPM startup key:” option, select “Allow startup key with TPM”.
- For the “Configure TPM startup key and PIN:” option, select “Allow startup key for TPM”.
- Click the Apply button, then click the OK button to save the changes in the Local Group Policy Editor. For more information on Group Policy, please see the following guide on what a Group Policy Object.
As you can see below, the Settings have been configured.
Create a PIN via the Command Line (CMD). Launch the CMD with administrator rights and perform the following below.
– Enter the command below.
manage-bde -protectors -add c: -TPMAndPIN
You will be prompted to enter the PIN.
– Enter a number between four and seven digits. The cursor does not register the keystrokes when you enter the number.
– Press Enter to save the PIN and you will be asked to re-enter the PIN to confirm.
– Press Enter again to save the PIN verification.
– Next, enter the command to view the status of the Bitlocker Data Encryption. The BitLocker Drive Encryption Status shows the “Key Protectors:” as “Numeric Password”, “TPM and PIN”.
Note: Every time the user boots the system, a BitLocker pre-boot security prompt is displayed, requiring the PIN to be entered before access to the operating system is granted. See these guides for more information on how to enable or disable BitLocker on Windows 10 or this link.
Part B – Group Policy Management Console: We will start by opening Server Manager, select Tools, followed by Group Policy Management as shown below.
This will open up the Group Policy Management Console as shown below.
Next, we will have to select the Group Policy Objects folder within the domain,
– Right-click and select new to create a new group policy object (GPO).
In the New GPO dialog box, I will enter my desired name “TechDirectA BitLocker GPO”. You can use any name of your choice.
Now the GPO has been created. We will have to right-click it and select Edit.
– This will open the Group Policy Management Editor (GPME). From within GPME navigate the path below. We can set policy for some global BitLocker items, as well as the specific policy that applies to the operating system drive, fixed data drives, or removable data drives.
Note: The BitLocker Drive Encryption folder contains ten configurable settings, as well as three subfolders, each of which contains additional settings. You can see the primary collection of settings as shown below.
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption
Enable the following Options: - Choose drive encryption method and cipher strength (Windows 10 Version 1511 and later) - Choose drive encryption method and cipher strength (Server 2012, Win 8.1 etc…) - Choose how users can recover BitLocker protected drives - Store BitLocker recovery information in Active Directory Domain Services
As you can see below, the needed Policies have been enabled.
BitLocker integrates with AD DS to provide centralized key management. By default, no recovery information is backed up to Active Directory (AD). Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information. By default, only Domain Admins have access to BitLocker recovery information, but access can be delegated to others. The following recovery data is saved for each computer object:
- Recovery Password: A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode.
- Key Package Data: With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.
Next, navigate down the folder into Operating System Drives and enable the following: - Choose how BitLocker protected operationg system drives can be recovered and enable it.
As we can see below the Policy has been enabled
This is not an exhaustive list, for a comprehensive list of BitLocker Group Policy settings, see this link. Next, We will have to target the GPO to our domain. You can tie this to specific OUs’ if you want. This will start the BitLocker process to encrypt automatically.
– To link the GPO, right-click on your Domain and select “Link an existing GPO”.
– Select the GPO object in the list of GPOs and click on OK.
As you can see, The GPO has been linked to our Domain.
In order to make or roll out BitLocker through a Group Policy that you should run a ‘gpupdate’ on the system. For more information on Group Policy, please see the following guide on GPUpdate Switches: GPUpdate vs GPUpdate force.
Part C- Backup existing BitLocker recovery keys to AD: If you have already enabled BitLocker but now want to store the recovery keys in Active Directory. With the configured GPO policies above, this will allow windows to write the recovery key to AD.
– We need to use the manage-bde utility, which is a command-based utility that can be used to configure BitLocker. For more information, see the following link.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.