Bitlocker when joining domain

asked 2020-09-29T16:25:56.623+00:00
LoKkY 211 Reputation points

Hi,

I'm trying to activate bitlocker automatically when joining machines to the domain, but it doesn't do anything. Everything seems to work fine in the following two cases:

  • If I activate it manually it works perfect and copies the key to the AD
  • If the computer already had bitlocker before joining the domain, I manually use the manage-bde -protectors commands and it works perfectly. Save
    the key in AD

I think I am missing some gpo or some configuration so that the process starts by itself, but I don't know which one.

The functional level of the domain is 2008 R2 and the gpo that I have configured are the following:

Store Bitlocker Recovery information in Active Directory Domain Services
Bitlocker Drive Encryption - Enforce drive encryption type on operating system
Bitlocker Drive Encryption - Choose how Bitlocker-protected operating system drives can be recovered

Computers: Windows 10 1909

Thanks!!!!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,133 questions
No comments
{count} votes

3 additional answers

Sort by: Most helpful
  1. answered 2020-09-30T05:51:13.823+00:00
    Kapil Arya 5,531 Reputation points Microsoft MVP

    Hello,

    While you configure Choose how Bitlocker-protected operating system drives can be recovered setting, make sure you uncheck Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option.

    Regards.

    No comments

  2. answered 2020-09-30T05:51:25.057+00:00
    Joy Qiao 4,766 Reputation points Microsoft Employee

    Hi,

    If Bitlocker enabled before joined domain, the process is not available automatically backup recovery key to ADDS. It is an expected behavior.

    So if Bitlocker have been enabled before join to domain, we need to use manage-bde command line to backup recovery information manually to AD DS:

    Here is a script for reference:

    $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
    $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }

    Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
    BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID

    For more information, please refer to: What if BitLocker is enabled on a computer before the computer has joined the domain?

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  3. answered 2020-09-30T07:35:12.607+00:00
    LoKkY 211 Reputation points

    Thank you very much for the answers!!!

    KapilArya: The Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option is unchecked in GPO.

    JoyQiao-MSFT: The case that you say works without problems. When a machine already had it before, I use the commands you say and it works well. The problem is the newly installed machines without bitlocker.