Introduction

Activating BitLocker on a computer is relatively straightforward. The challenge in a corporate setting will be:

  • Configuring Active Directory to save the BitLocker keys.
  • Activating or configuring the TPM chips.
  • Activating BitLocker using a script.

In this post, we will go through the various steps for activating BitLocker on workstations.

Active Directory Configuration

Features Bitlocker install

Installation to be carried out on all workstations managing the BitLocker keys (In addition to the “Users and Computers Active Directory” console).

  • Install with powershell
Install-WindowsFeature -Name "RSAT-Feature-Tools-BitLocker","RSAT-Feature-Tools-BitLocker-RemoteAdminTool","RSAT-Feature-Tools-BitLocker-BdeAducExt"
  • or Install manually

Active Directory Delegation

A delegation is necessary to view the BitLocker keys. We will delegate to a global group in the AD; in our example, it will be “SupportNiveau2”.

  • Launch the “Active Directory Users and Computers” console.
  • Select the “Delegate Control” option.
  • Sélectionnez le groupe
  • Select the option to create a custom task.
  • Select the object named : MSFVE-RECOVERYINFORMATION
  • Select full control.

Creation of the GPO to configure BitLocker (on our computer).

The GPO allows you to specify that the keys should be stored in the AD and the default settings of BitLocker. Creating the GPO will not activate BitLocker on the workstations, so you can set up this GPO at the beginning of your project.

  • Create a new GPO with Group Policy Management (gpmc.msc) and link it to an OU where your computers are located.
  • select a name for the GPO

  • “Computer Configuration” \ “Administrative Templates” \ “Windows Components” \ “Bitlocker Drive Encryption”
    • Store Bitlocker recovery information in Active Directory Domain Services
      • Enable
  • “Computer Configuration” \ “Administrative Templates” \ “Windows Components” \ “Bitlocker Drive Encryption”
    • Choose drive encryption mothod and cipher strength
      • Enable => Configurer la méthode de cryptage
  • “Computer Configuration” \ “Administrative Templates” \ “Windows Components” \ “Bitlocker Drive Encryption” \ “Operating System Drives”
    • Enforce drive encryption type on operating system drivers
      • Enable => Use Space only encryption
  • “Computer Configuration” \ “Administrative Templates” \ “Windows Components” \ “Bitlocker Drive Encryption” \ “Operating System Drives”
    • Choose how Bitlocker-protected operating system drives can be recovered
      • Enable
        • Save Bitlocker recovery information to AD DS for operating system drives
        • Store recovery passwords and key packages

Computers Requirements

Management of TPM chips.

In most cases, TPM chips are already activated on computers, especially with TPM 2.0 chips.

  • Activating the TPM chips is a prerequisite for enabling BitLocker.

UEFI Computer

It is recommended that the computer be in UEFI mode. This has become mandatory since Windows 11, but care must be taken with older Windows 10 machines.

Here is a script to detect UEFI mode.

BitLocker Activation

Manually

From the file explorer, you can enable or disable BitLocker.

By script

Warning: If the computer has a pending reboot, it’s better to wait before activating BitLocker. The BitLocker Suspend mode can be poorly managed in some cases.

Here is an example of an activation script for BitLocker.

Function Get-PendingReboot {
	$isReboot = $False
	if (Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired") { $isReboot = $True }
	if (Test-Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations")       { $isReboot = $True }
	if (Test-Path "HKLM:\SOFTWARE\WOW6432Node\LANDesk\managementsuite\WinClient\VulscanReboot")               { $isReboot = $True }
	if (Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending")  { $isReboot = $True }
	Return $isReboot
}

# ******************** Encrypt Volume ***************************
if (((Get-tpm).TpmReady -eq $True) -and (Get-PendingReboot -eq $false)) {
	# ******************* C drive *******************************
	# Encrypt volume C
	If ($StateC -eq "FullyDecrypted") {
		Write-host "Enable Bitlocker on C Drive"
		add-bitlockerKeyProtector -mountPoint "C:" -TpmProtector
		Enable-BitLocker -mountPoint "C:" -EncryptionMethod XtsAes128 -RecoveryPasswordProtector -SkipHardwareTest -ErrorAction SilentlyContinue
	}	
}

The complete script for activating BitLocker is available. : https://github.com/DavidWuibaille/Repository/tree/main/Windows/Windows11/ActivateBitlocker

If BitLocker is already activated

If BitLocker was activated before the implementation of the GPO, you can force the key registration in PowerShell.

	$BLV = Get-BitLockerVolume   -MountPoint "C:"
	Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Retrieval of the BitLocker key.

From the “Active Directory Users and Computers” console, the BitLocker key will be available.

If a problem occurs on the computer, it will ask for the decryption key.


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.