Enabling Bitlocker via GPO

Bob Pants 156 Reputation points

I need to enable bitlocker in an on-prem AD environment, I've set up a gpo with typical settings, with upload key to AD etc.

I am finding that some devices are enabling Bitlocker automatically, some arent. All the newer 20H2 builds seems to be enabling automatically, but not so much the older ones. I know this can be scripted but I'd prefer to let the gpo to the work if possible.

Just wanted to know what the difference between the versions is, all are Win10 pro of various builds and why it works automatically on 20H2 but not 1908 for example

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,150 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,337 questions
{count} votes

Accepted answer
  1. Limitless Technology 37,781 Reputation points

    Hello @MikeLehmann-8939

    Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).

    BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.

    It works automatically on 20H2 but not 1908 for example because TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.

    Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the Status heading. You can also run Get-TPM** in PowerShell to get more details about the TPM on the current computer.

    For a further idea on BitLocker Group Policy settings


    Hope this answers all your queries, if not please do repost back.
    If an Answer is helpful, please click "Accept Answer" and upvote it : )


    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Bob Pants 156 Reputation points

    The issue I face now is most of the users are WFH. I have a gpo that enabled bitlocker and it also installes a scheduled task to run the script on those that it doesnt automatically activate on but this doesnt work well if the computer isnt connected to the network always. By the time the user logs on, starts the vpn, the sched task has already been an gone and it won't enable bitlcker unless the recovery key can be backed up to AD
    Is there a better solution for remote clients? I dont really want to be running the enable bitlocker script on the computers every hour incase they connect to VPN at some point

    0 comments No comments

  2. MTG 991 Reputation points

    "this doesnt work well if the computer isnt connected to the network always" - set the task option as my screenshot shows, but instead of "any connection" use your domain coninection and combine it with the option (see screenshot 2) "Run the task as soon as possible after a scheduled start is missed"

  3. MTG 991 Reputation points

    BL does not enable itself automatically, unless a Microsoft account is in use, since only then, the recovery password can be saved to the cloud. No MS account ->no cloud access ->no auto-BL. It's not inconsistent anywhere here.

    0 comments No comments