If you don't have access to MBAM, use the script from my article:
https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html?preview=hG26jVC1xow%3D
Bitlocker when joining domain
Hi,
I'm trying to activate bitlocker automatically when joining machines to the domain, but it doesn't do anything. Everything seems to work fine in the following two cases:
- If I activate it manually it works perfect and copies the key to the AD
- If the computer already had bitlocker before joining the domain, I manually use the manage-bde -protectors commands and it works perfectly. Save
the key in AD
I think I am missing some gpo or some configuration so that the process starts by itself, but I don't know which one.
The functional level of the domain is 2008 R2 and the gpo that I have configured are the following:
Store Bitlocker Recovery information in Active Directory Domain Services
Bitlocker Drive Encryption - Enforce drive encryption type on operating system
Bitlocker Drive Encryption - Choose how Bitlocker-protected operating system drives can be recovered
Computers: Windows 10 1909
Thanks!!!!
-
MTG Marinetechnik 356 Reputation points
2020-09-30T14:54:13.623+00:00
3 additional answers
Sort by: Most helpful
-
Kapil Arya 7,756 Reputation points MVP
2020-09-30T05:51:13.823+00:00 Hello,
While you configure Choose how Bitlocker-protected operating system drives can be recovered setting, make sure you uncheck Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option.
Regards.
-
Joy Qiao 4,886 Reputation points Microsoft Employee
2020-09-30T05:51:25.057+00:00 Hi,
If Bitlocker enabled before joined domain, the process is not available automatically backup recovery key to ADDS. It is an expected behavior.
So if Bitlocker have been enabled before join to domain, we need to use manage-bde command line to backup recovery information manually to AD DS:
Here is a script for reference:
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorIDFor more information, please refer to: What if BitLocker is enabled on a computer before the computer has joined the domain?
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
LoKkY 211 Reputation points
2020-09-30T07:35:12.607+00:00 Thank you very much for the answers!!!
KapilArya: The Do not enable BitLocker until recovery information is stored in AD DS for operating system drives option is unchecked in GPO.
JoyQiao-MSFT: The case that you say works without problems. When a machine already had it before, I use the commands you say and it works well. The problem is the newly installed machines without bitlocker.