Many organizations want to protect the data on the end-user’s computers from prying eyes. Especially laptops that may be virtually anywhere. BitLocker is an encryption feature built into computers running Window 10 Professional, Enterprise and Education that creates a secure environment for your data.
Deploying BitLocker to an enterprise can be a daunting task. Group Policy in combination with PolicyPak can automate the entire process with one GPO.
This document assumes the following
The instructions below will configure BitLocker to encrypt the used space on the SystemDrive with 256-bit encryption and save the Recovery Password and key to Active Directory. There are many more options that can be configured either through additional policies or customized script if so required.
Add a new collection
Add a new Policy
Open “Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)” and set the following configuration
In the same location, open “Choose drive encryption method and cipher strength (Windows 10 [version 1511] and later) and set the following configuration
Note: If deploying different BitLocker configurations for different groups of users or computers, repeat steps 4 through 10 for each different configuration, setting the ILT on the collection to target your desired groupings.
Add a new policy to start the Scripts Manager wizard
Select “Apply this policy to computer (default) and click NEXT
Configure “On apply action”
On the dropdown that says “(None)”, select “Batch Script” and type in the following text
Manage-bde -on %systemdrive% -Used
Configure “On revert action”
Select either “Once” or “Once or when forced” and click NEXT
When the policy has been deployed to the user, they will receive a notification that a reboot will be required. It is not necessary that it be one immediately. Upon reboot BitLocker will automatically start to encrypt the drive with no input required from the user.