This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 93%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Could someone explain to me what GPO I would have to setup for my Bitlocker Policy that would allow me to start encrypting on any given machine from AD when I want it to encrypt. I would rather do this so that machines dont start automatically encrypting once I add them to the Bitlocker Policy that I already have setup in AD. Any feedback would help
@RockmanIT
Hi,
Just checking in to see if the information provided was helpful.
If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.
@RockmanIT
Hi,
Based on my research, if you don't have something like SCCM\Intune\MBAM also set to encrypt the devices, Group Policy alone isn't able to BitLocker a machine.
Of the available GPO settings, the one that is arguably the most important to configure is Store BitLocker Recovery Information in Active Directory Domain Services.
If the machines start encrypting automatically, that are "Connected Standby" devices will automatically enable BitLocker during setup or OOBE (even if automated), so depending on the machines in question this could be expected behavior.
Hope above information can help you.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
If you have MBAM, use it. Else, use task scheduler and batch. See my article: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html?preview=hG26jVC1xow%3D