BitLocker GPO

Bilal ELAMRANI 1 Reputation point
2021-02-09T14:08:13.743+00:00

Hi All,

It was my understanding that after you configured the GPO's for BitLocker you still needed to manually enable BitLocker on each machine. I am seeing the opposite when I enable the BitLocker Drive Encryption Policy and run a gpupdate on that laptop (Dell Win 10 pro) that it automatically turns it on. I have the following GPO settings enabled:

Turn on TPM backup to Active Directory Domain Services - enabled
Require BitLocker backup to AD DS - Enabled
Store BitLocker recovery information in Active Directory Domain Services - Enabled
Allow data recovery agent - Enabled
Choose how BitLocker-protected fixed drives can be recovered - Enabled
Choose how BitLocker-protected operating system drives can be recovered - Enabled
Does anyone know why this is happening or is this some new/expected? Thanks,.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,624 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,956 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vicky Wang 2,731 Reputation points
    2021-02-10T08:30:32.643+00:00

    Hi,
    Thank you for posting in our forum.
    Are the steps and methods you disabled the same as the steps below

    Although Windows makes it possible to manually enable BitLocker encryption for a storage device, BitLocker can also be enabled and configured through the use of group policy settings. This is particularly useful for organizations who have a compliance mandate to enable BitLocker encryption for all endpoint devices.

    You can access the BitLocker settings by opening the Group Policy editor and then navigating through the console tree to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption. The BitLocker Drive Encryption folder contains ten configurable settings, as well as three subfolders, each of which contain additional settings. You can see the primary collection of settings in Figure

    reference:https://specopssoft.com/blog/group-policy-configure-bitlocker/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best wishes
    Vicky


  2. DonPick 1,266 Reputation points
    2021-02-10T10:27:29.467+00:00

    Dell and Dynabook auto-encrypt by default if conditions are met, other brands probably do too (Lenovo do, in my experience). Maybe your expectations are reversed?

    https://www.dell.com/support/kbdoc/en-au/000124701/automatic-windows-device-encryption-bitlocker-on-dell-systems

    https://aps2.support.emea.dynabook.com/kb0/TSB0503YP0001R01.htm

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.