Bitlocker and GPOs and our deployment process

[Kurt Buff]

All,

We've got over 160 laptops, and of those just over 100 don't have a BL key backed up to AD, in spite of the fact that we have a GPO that turns it on and saves the key to AD.

I've checked a couple of machines which lack a saved key via WinRM (get-bitlockervolume) and I see that they don't have BL enabled, but the GPO shows as applied when I run gpresult. 

All of our laptops are either recently upgraded from Win10 to Win11 or are Win11 replacements for Win10 machines.

So, two questions:

1) Any ideas why BL isn't getting turned on, and why the BL key isn't getting backed up? It has to be something in the deployment process (we use KACE for imaging), but I can't figure out what the helpdesk is doing

2) How can I get BL going without hopping on a console session at each machine and working through the GUI?

Thanks,

Kurt

GPO settings are:

Windows Components/BitLocker Drive Encryption

Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) 

     Enabled 
     Select the encryption method for operating system drives: 

        XTS-AES 128-bit (default)
     Select the encryption method for fixed data drives: 

        XTS-AES 128-bit (default)
     Select the encryption method for removable data drives: 

        AES-CBC 128-bit (default)
 Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) 

     Enabled  
Require BitLocker backup to AD DS 

     Enabled
Select BitLocker recovery information to store: 

     Recovery passwords and key packages
 
Windows Components/BitLocker Drive Encryption/Operating System Drives

Choose how BitLocker-protected operating system drives can be recovered 

     Enabled  

Allow data recovery agent 

     Enabled

Configure user storage of BitLocker recovery information:
     Allow 48-digit recovery password
     Allow 256-bit recovery key

Omit recovery options from the BitLocker setup wizard 

     Enabled

Save BitLocker recovery information to AD DS for operating system drives 

     Enabled

Configure storage of BitLocker recovery information to AD DS: 

     Store recovery passwords and key packages

     Do not enable BitLocker until recovery information is stored to AD DS for operating system drives 

          Enabled 

Enforce drive encryption type on operating system drives Enabled  

     Select the encryption type:

          Full Encryption 

[Michael B. Smith]

Using psexec or invoke-command, what does manage-bde -status have to say?

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4BvCtNZK2iVkRu_JfyQQ1VdH10FJOeWcRfrZv4B1JtgQ%40mail.gmail.com.

[Kurt Buff]

For one of the machines (Win11 23H2), it speaketh thusly:

manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]

    Size:                 236.31 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0.0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Key Protectors:       None Found

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/d8cb371241e8463c8877a81561761ebf%40smithcons.com.

[Michael B. Smith]

Well, you can read that as well as I can. It says BL isn’t on.

 

What does gpresult have to report?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6Mos5QHxW%3DW9wxZbYK0nAg5RD0nySehK%3D_E8pMFv%3DnoQ%40mail.gmail.com.

[Mike]

We went through this a long time ago, so I might be mis-remembering…

I don’t believe there are any GPOs that will turn BL on. You can set the options you want, enforce Recovery Key storage to AD, etc. but the actual BL enabling is manual. We made that a final step in our imaging process.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/3c97389b70e84ceaa1053055bef558bb%40smithcons.com.

[Henry Awad]

My Google search returned the following:

Yes, BitLocker can be enabled and managed through Group Policy, which allows for automated configuration of encryption, recovery methods, and startup authentication for all enrolled computers. You can configure settings like saving recovery keys to Active Directory, setting a default encryption method, and defining specific startup authentication requirements, though manual steps or scripts may be needed for initial deployment or silent encryption. 

Powershell script to enable Bitlocker:

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmProtector

-UsedSpaceOnly: Encrypts only the used space on the drive, which is faster for new drives. For existing drives with data, full encryption is recommended.

If you want to add a PIN for pre-boot authentication in addition to the TPM:

$SecureString = ConvertTo-SecureString "YourPinHere" -AsPlainText -Force

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Henry Awad

Principal Engineer

Technology Services

The Catholic University of America

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNEbeAao3ESaaOnC_8-BFvHdfDG5EnFkJa82kV9iifRF-A%40mail.gmail.com.

[Markus Klocker]

How is Bitlocker initially enabled?
We do that by script cause only the config comes by GPO.

    Markus

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6Mos5QHxW%3DW9wxZbYK0nAg5RD0nySehK%3D_E8pMFv%3DnoQ%40mail.gmail.com.

[Wright, John M]

This is what’s I’ve found.  You can manage it via GP but not turn it on.  I’d suggest a script to reach out to them and turn it on.  Then you’ll see the keys backed up.  But we’ve been doing what it says below.  Turn on BL at part of the prep/deployment.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike
Sent: Tuesday, October 7, 2025 7:23 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Bitlocker and GPOs and our deployment process

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNEbeAao3ESaaOnC_8-BFvHdfDG5EnFkJa82kV9iifRF-A%40mail.gmail.com.

[Wright, John M]

I don’t know what the AI is referring to, unless it just means that you can use GP to run a script.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Henry Awad
Sent: Tuesday, October 7, 2025 11:01 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Bitlocker and GPOs and our deployment process

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

 

My Google search returned the following:

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK5zHwZME-P_fw-tYc5-NtMRO3ifgJuvFutphvAh%2B2MvGg%40mail.gmail.com.

[Jim Behning]

I have a similar thing. We have the group policy set up to store keys. None of the old workstations delivered in June 2025 or before have Bitlocker turned on. That last three months of new workstations from HP and Lenovo have the encrypt hard drive turned on. One HP motherboard died. Junior IT got the Bitlocker key out of AD with Powershell so the repaired HP computer would work.

Thanks for the info so we can touch 300 plus computers to turn on Bitlocker. At least the last two batches of 100+ replacements had BL turned on by HP and Lenovo.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SN7PR12MB671423B402F2F1663C43607891E1A%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Wright, John M]

I don’t know what version of Win11 the PCs were imaged at, but it could be that the last two came with 24H2.  That would turn on BL automatically.  Those that are imaged at an earlier version and then upgraded require it to be turned on manually.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CALOTwGYJmkqrWL9BUgQ5BEza%2BB1Fqt3bv731%3DVK9tn%3DUM_hSHw%40mail.gmail.com.

[Philip Elder]

Step 1: Enable the AD settings.

Step 2: Run PowerShell step for already set up machines to register in AD

 

CMD

Right click and Run As Administrator

manage-bde -protectors -get c:

manage-bde -protectors -adbackup c: -id "{ID-of-numeric-password}"

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Tuesday, October 7, 2025 16:21
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] Bitlocker and GPOs and our deployment process

 

All,

          Full Encryption 

 

--

[Kurt Buff]

Replying to myself to consolidate replies:

- Yes, BL is turned off, I apparently forgot that the GPO will not it on. This seems to be a missing step for our helpdesk, and I'm applying some persuasion to get them to review their processes.

- Tried the suggestions from Henry and Philip, but it's not working for me - below is the WinRM session in which I tried both sets of commands - this machine is in a physically remote location (WA vs. MT), but has a DC:

Kurt

[Michael B. Smith]

I think you need a recovery password based on the error and your GPO settings. E.g.:

 

$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -UsedSpaceOnly -RecoveryPassword $SecureString -RecoveryPasswordProtector

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff

Sent: Wednesday, October 8, 2025 4:20 PM
To: ntsys...@googlegroups.com

Subject: [ntsysadmin] Re: Bitlocker and GPOs and our deployment process

Replying to myself to consolidate replies:

 

- Yes, BL is turned off, I apparently forgot that the GPO will not it on. This seems to be a missing step for our helpdesk, and I'm applying some persuasion to get them to review their processes.

 

- Tried the suggestions from Henry and Philip, but it's not working for me - below is the WinRM session in which I tried both sets of commands - this machine is in a physically remote location (WA vs. MT), but has a DC:

 

Kurt

 

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4ZcULTB%3Dt0B6%2BsXZJ8KT3nG306bUSSEc%3Ddud778_8kXw%40mail.gmail.com.

[Henry Awad]

Yes, it seems that the GPO is requiring the recovery password to be set before the encryption takes place according to the error message. You can either use Michael's method to include the recovery password or you can modify the GPO to not require it. 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/43548e2dd47e494dbfe6f735756ae4de%40smithcons.com.

[Kurt Buff]

I tried specifying the secure string, but get the error message below, and ran across this while trying to figure this out - the :

https://learn.microsoft.com/en-us/archive/blogs/si_team/bitlocker-recovery-password-details

The recovery password must be in a very specific format, and is not the same as the recovery key. The things I learn daily...

I believe that the recovery key config in the GPO is controlled here:

Windows Components/BitLocker Drive Encryption

   Select BitLocker recovery information to store: 

      Recovery passwords and key packages

and here:

Windows Components/BitLocker Drive Encryption/Operating System Drives

   Configure user storage of BitLocker recovery information:
      Allow 48-digit recovery password
      Allow 256-bit recovery key 

   Configure storage of BitLocker recovery information to AD DS: 

      Store recovery passwords and key packages

If I redo those settings to remove the recovery passwords, that should allow me to proceed, correct?

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/43548e2dd47e494dbfe6f735756ae4de%40smithcons.com.

[Michael B. Smith]

Yes, I believe so (and I didn’t know that either).

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff

Sent: Wednesday, October 8, 2025 6:02 PM
To: ntsys...@googlegroups.com

Subject: Re: [ntsysadmin] Re: Bitlocker and GPOs and our deployment process

I tried specifying the secure string, but get the error message below, and ran across this while trying to figure this out - the :

https://learn.microsoft.com/en-us/archive/blogs/si_team/bitlocker-recovery-password-details

The recovery password must be in a very specific format, and is not the same as the recovery key. The things I learn daily...

 

I believe that the recovery key config in the GPO is controlled here:

Windows Components/BitLocker Drive Encryption

   Select BitLocker recovery information to store: 

      Recovery passwords and key packages

and here:

Windows Components/BitLocker Drive Encryption/Operating System Drives

   Configure user storage of BitLocker recovery information:
      Allow 48-digit recovery password
      Allow 256-bit recovery key 

   Configure storage of BitLocker recovery information to AD DS: 

      Store recovery passwords and key packages

 

If I redo those settings to remove the recovery passwords, that should allow me to proceed, correct?

 

Kurt

 

 

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6SiCwt%3DATxoMOvRDz3Gqp-QPb7jy9-vhjGvkYskbcG7Q%40mail.gmail.com.

[Kurt Buff]

The alternatives for this setting:

Windows Components/BitLocker Drive Encryption/Operating System Drives

  Configure user storage of BitLocker recovery information:
      Allow 48-digit recovery password

are:

      Require 48-digit recovery password 

or

      Do not allow 48-digit recovery password

The explanatory text for this in the GPO states:

     In "Configure user storage of BitLocker recovery information" select whether 

     users are allowed, required, or not allowed to generate a 48-digit recovery 

     password or a 256-bit recovery key.

This seems to be the critical setting, but since it's only set to "Allow", not "Require", I am a bit baffled as to why I'm required to have the key when turning on BL.

Oh, well - it's late, so I'll pursue this tomorrow.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/82468f5a95f947bdb0d00f2734167f2b%40smithcons.com.

[Markus Klocker]

This is our setup which works fine:


Additionally you can enable startup PIN (conplexity) where needed.

hth
    Markus

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7-qwSFm-T62S537%3D8uiYWVh5kyr9r7vadtVG4R2VeWTg%40mail.gmail.com.

[Kurt Buff]

There are some interesting differences between your config and ours. I suspect we're on different versions of the ADMX files - the outlined area in my screencap has different verbiage, and is not in the same place as yours. I'm ignoring for now the section on fixed drives, as that is not consequential to this conversation.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/43d0977a-baa5-4a93-a9e5-d4ff763b0f11%40univie.ac.at.

[Kurt Buff]

Huh. OK - it's the usual thing, if I keep flailing about, I can usually stumble across a solution.

The following assumes line of sight to the DCs.

This didn't work to enable BL, and I don't know how I thought this was required:

$secureString = ConvertTo-SecureString "20251008" -AsPlainText -Force

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -RecoveryPassword $SecureString -RecoveryPasswordProtector

This did work to enable BL:

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -RecoveryPasswordProtector

Then I can run this immediately following to get it backed up to AD:

$DriveLetter = "C:"
$BitLockerVolume = Get-BitLockerVolume -MountPoint $DriveLetter
$RecoveryKeyProtector = $BitLockerVolume.KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"}
if ($RecoveryKeyProtector) {
   # Back up the recovery key to Active Directory
   Backup-BitLockerKeyProtector -MountPoint $DriveLetter -KeyProtectorId $RecoveryKeyProtector.KeyProtectorId
   Write-Host "BitLocker recovery key for $DriveLetter backed up to Active Directory successfully."
} else {
   Write-Host "No RecoveryPassword key protector found for $DriveLetter."
}

[Philip Elder]

Weird. I’m not close to being able to grab a screencap of our BL GPO but once it’s in as soon as we enable BL on a new device it automagically appears in the computer’s AD Object.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Thursday, October 9, 2025 13:19
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Re: Bitlocker and GPOs and our deployment process

 

Huh. OK - it's the usual thing, if I keep flailing about, I can usually stumble across a solution.

 

The following assumes line of sight to the DCs.

 

This didn't work to enable BL, and I don't know how I thought this was required:

$secureString = ConvertTo-SecureString "20251008" -AsPlainText -Force

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -RecoveryPassword $SecureString -RecoveryPasswordProtector

 

This did work to enable BL:

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -RecoveryPasswordProtector

 

Then I can run this immediately following to get it backed up to AD:

$DriveLetter = "C:"
$BitLockerVolume = Get-BitLockerVolume -MountPoint $DriveLetter
$RecoveryKeyProtector = $BitLockerVolume.KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"}
if ($RecoveryKeyProtector) {
   # Back up the recovery key to Active Directory
   Backup-BitLockerKeyProtector -MountPoint $DriveLetter -KeyProtectorId $RecoveryKeyProtector.KeyProtectorId
   Write-Host "BitLocker recovery key for $DriveLetter backed up to Active Directory successfully."
} else {
   Write-Host "No RecoveryPassword key protector found for $DriveLetter."
}

On Thu, Oct 9, 2025 at 12:54 PM Kurt Buff <kurt...@gmail.com> wrote:

There are some interesting differences between your config and ours. I suspect we're on different versions of the ADMX files - the outlined area in my screencap has different verbiage, and is not in the same place as yours. I'm ignoring for now the section on fixed drives, as that is not consequential to this conversation.

 

 

Kurt

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5EXhZF2zYcuEbHs47_EPojjWWM7mvOh8GutnOAg1-Wbw%40mail.gmail.com.

[Wright, John M]

I’m a little short of time but, if it’s any use, here’s what we’ve got that works for us.

 

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Philip Elder
Sent: Thursday, October 9, 2025 7:47 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Re: Bitlocker and GPOs and our deployment process

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

 

Weird. I’m not close to being able to grab a screencap of our BL GPO but once it’s in as soon as we enable BL on a new device it automagically appears in the computer’s AD Object.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/008743cb790c440fb97b84a422926d3b%40MPECSInc.Ca.