BitLocker GPO's and rollout
I am currently playing with Bitlocker here at work and have got all of the scripts and things done so that i can back up the information to AD. I admit though that I have not read up on this topic fully yet and wondered if i am going wrong somewhere.
Currently i have it set up so that:
1) I can MDT a machine and choose it to set up BitLocker and this installs the recovery key to AD.
2) I also have tested running a command line managebde powershell command to force a machine that had been set up with BitLocker previously to also store its details in AD.
Where I am struggling is this, what if i have 10 laptops in an OU with no Bitlocker enabled. How would i automate Bitlocker without rebuilding or manually starting Bitlocker? I have aplied the group policy that i used for the above which pulls the TPM stuff into AD and also sets up how to deal with the OS disk etc. What I cannot seem to do is to actually get it to TURN ON bitlocker itself and kick off the encryption.
It would be nice to apply the Bitlocker GPO to a laptop OU and come back later and they are all encrypting (assuming TPM etc is on in the bios). At the moment i apply the policy to the OU and go back and Bitlocker is still off. Is this normal? Is there a way to do what i want to do?
My current GPO settings are using the 2 options below and the options within each:
Turn on TPM backup to Active Directory Domain Services Enabled
Require TPM backup to AD DS Enabled
If selected, cannot set or change TPM owner password
if backup fails (recommended default).
If not selected, can set or change TPM owner password
even if backup fails. Backup is not automatically retried.
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for operating system drives Enabled
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled
Any advice would be appreciated.