Bitlocker when joining domain

LoKkY 211 Reputation points
2020-09-29T16:25:56.623+00:00

Hi,

I'm trying to activate bitlocker automatically when joining machines to the domain, but it doesn't do anything. Everything seems to work fine in the following two cases:

  • If I activate it manually it works perfect and copies the key to the AD
  • If the computer already had bitlocker before joining the domain, I manually use the manage-bde -protectors commands and it works perfectly. Save
    the key in AD

I think I am missing some gpo or some configuration so that the process starts by itself, but I don't know which one.

The functional level of the domain is 2008 R2 and the gpo that I have configured are the following:

Store Bitlocker Recovery information in Active Directory Domain Services
Bitlocker Drive Encryption - Enforce drive encryption type on operating system
Bitlocker Drive Encryption - Choose how Bitlocker-protected operating system drives can be recovered

Computers: Windows 10 1909

Thanks!!!!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,767 questions
0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kapil Arya 7,756 Reputation points MVP
    2020-09-30T05:51:13.823+00:00

    Hello,

    While you configure Choose how Bitlocker-protected operating system drives can be recovered setting, make sure you uncheck Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option.

    Regards.

    0 comments
  2. Joy Qiao 4,886 Reputation points Microsoft Employee
    2020-09-30T05:51:25.057+00:00

    Hi,

    If Bitlocker enabled before joined domain, the process is not available automatically backup recovery key to ADDS. It is an expected behavior.

    So if Bitlocker have been enabled before join to domain, we need to use manage-bde command line to backup recovery information manually to AD DS:

    Here is a script for reference:

    $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
    $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }

    Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
    BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID

    For more information, please refer to: What if BitLocker is enabled on a computer before the computer has joined the domain?

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. LoKkY 211 Reputation points
    2020-09-30T07:35:12.607+00:00

    Thank you very much for the answers!!!

    KapilArya: The Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option is unchecked in GPO.

    JoyQiao-MSFT: The case that you say works without problems. When a machine already had it before, I use the commands you say and it works well. The problem is the newly installed machines without bitlocker.