09: How do I automate BitLocker deployment for my enterprise with Group Policy and PolicyPak?

Many organizations want to protect the data on the end-user’s computers from prying eyes. Especially laptops that may be virtually anywhere. BitLocker is an encryption feature built into computers running Window 10 Professional, Enterprise and Education that creates a secure environment for your data.

Deploying BitLocker to an enterprise can be a daunting task. Group Policy in combination with PolicyPak can automate the entire process with one GPO.

This document assumes the following

• Compatible version of Windows 10
• TPM present and enabled on the computer (TPM uses hardware level encryption to store BitLocker keys allowing zero-touch deployment and computer start-up)

Implement BitLocker

The instructions below will configure BitLocker to encrypt the used space on the SystemDrive with 256-bit encryption and save the Recovery Password and key to Active Directory. There are many more options that can be configured either through additional policies or customized script if so required.

1. Create a Group Policy on the desired Domain / OU and Edit
2. Expand Computer Configuration -> PolicyPak and click on Administrative Templates Manager

3. Add a new collection

   

4. Give the Collection a descriptive name and, if required, set Item Level Targeting (ILT can filter the policy based on many different criteria including computer type (e.g. laptops), Operating System (e.g. Windows 10) or Security Group (e.g. Sales))
5. Double-click to open the collection

6. Add a new Policy

   

7. Browse to Windows Components and click on BitLocker Drive Encryption

8. Open “Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)” and set the following configuration

   1. Select “Enable”
   2. Check “Require BitLocker Backup to AD DS”
   3. Set Select BitLocker recovery information to store: “Recovery passwords and key packages”

   4. Click OK

      

9. In the same location, open “Choose drive encryption method and cipher strength (Windows 10 [version 1511] and later) and set the following configuration

   1. Select “Enable”
   2. Set the encryption method for drive type (CBC-AES is recommended for drives that may connect to non-Windows 10 computers)

   3. Click OK

      

10. Click CLOSE

    

    Note: If deploying different BitLocker configurations for different groups of users or computers, repeat steps 4 through 10 for each different configuration, setting the ILT on the collection to target your desired groupings.

11. Still under PolicyPak, click on Scripts Manager

12. Add a new policy to start the Scripts Manager wizard

    1. Click NEXT

    2. Select “Apply this policy to computer (default) and click NEXT

       

    3. Configure “On apply action”

       1. On the dropdown that says “(None)”, select “Batch Script” and type in the following text

          Manage-bde -on %systemdrive% -Used

          

       2. Click NEXT

    4. Configure “On revert action”

       1. On the dropdown that says “(None)”, select “Batch Script” and type in the following text

          Manage-bde -off %systemdrive%

          

       2. Click NEXT

    5. Select either “Once” or “Once or when forced” and click NEXT

       

    6. Give the policy a descriptive name and set Item Level Targeting if required
    7. Click FINISH
13. Close Group Policy Management Editor

When the policy has been deployed to the user, they will receive a notification that a reboot will be required. It is not necessary that it be one immediately. Upon reboot BitLocker will automatically start to encrypt the drive with no input required from the user.