BitLocker GPO's and rollout

[dalsoth]

Hi All

I am currently playing with Bitlocker here at work and have got all of the scripts and things done so that i can back up the information to AD. I admit though that I have not read up on this topic fully yet and wondered if i am going wrong somewhere.

Currently i have it set up so that:

1) I can MDT a machine and choose it to set up BitLocker and this installs the recovery key to AD.
2) I also have tested running a command line managebde powershell command to force a machine that had been set up with BitLocker previously to also store its details in AD.

Where I am struggling is this, what if i have 10 laptops in an OU with no Bitlocker enabled. How would i automate Bitlocker without rebuilding or manually starting Bitlocker? I have aplied the group policy that i used for the above which pulls the TPM stuff into AD and also sets up how to deal with the OS disk etc. What I cannot seem to do is to actually get it to TURN ON bitlocker itself and kick off the encryption.

It would be nice to apply the Bitlocker GPO to a laptop OU and come back later and they are all encrypting (assuming TPM etc is on in the bios). At the moment i apply the policy to the OU and go back and Bitlocker is still off. Is this normal? Is there a way to do what i want to do?

My current GPO settings are using the 2 options below and the options within each:

Turn on TPM backup to Active Directory Domain Services Enabled
Require TPM backup to AD DS Enabled

If selected, cannot set or change TPM owner password
if backup fails (recommended default).

If not selected, can set or change TPM owner password
even if backup fails. Backup is not automatically retried.


Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for operating system drives Enabled
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled



Any advice would be appreciated.

Thanks!

[arron]

This bit of powershell code...

$BitLockerEnabled = (get-wmiobject -namespace root\CIMv2\Security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume | where-object {$_.driveletter -eq "C:"}).ProtectionStatus
if (-not $BitLockerEnabled)
{
notepad.exe
}

can run something on a computer if bitlocker is not turned on, in this case notepad. Im thinking you would be wanting to run the command to activate bitlocker.

You could run in from a startup script or scheduled task. You may have to set the powershell execution policy setting in a GPO if you havent before though.



Are you having issues getting MDT to turn bitlocker on or are you talking about after deployment?