Setting up Bitlocker to trigger if not connected to domain/network

Bash M 1 Reputation point
2022-05-19T16:31:15.427+00:00

Hello everyone,

I'm a fairly new System Admin at my organization and fairly new to the role all together, and I have been given a task of deploying Bitlocker to all of our computers. They all run Windows 10 Pro 19043 so I don't think that should be a problem. I have been working on creating a group policy to apply Bitlocker to all of our computers and I was able to set them up to send their recovery codes and passwords to our AD DS when Bitlocker turns on. I know Bitlocker triggers when there's a hardware or a firmware change to the computer, but I also like to set it up that it triggers if the computer turns on and it's not connected to our ou/domain/network. Is that doable? Any help is greatly appreciated, and also please don't hesitate to over explain your answer because I'm still learning. Thank you.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,795 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,276 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,767 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MTG 1,196 Reputation points
    2022-05-20T13:31:54.637+00:00

    Hi.

    "Bitlocker being triggered" is the wrong term. What happens when you update your BIOS/UEFI, is that the TPM will detect a change and not release the key.
    You want that to happen when the machine is away from the company network and yes, that is doable.
    The feature is called Bitlocker network unlock. It requires certain Hardware features, namely UEFI DHCP.
    See https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

    0 comments