Here’s the deal:
If your level differs, it may still work, but according to older tutorials, if you’re below 2008 you’ll need to extend the schema and stuff, so in that case, search for another tutorial. If your levels are fine, rest assured, it will be much more straightforward than most tutorials suggest it with pages and pages of instructions. Let’s start!
You need to check whether your AD schema contains the necessary objects, refer to the article Checking BitLocker and TPM Schema Objects. For me all the required object were present OOB. Like I said, if you’re at least on 2008 they should be there.
You also need to install the BitLocker Drive Encryption Administration Utilities on your domain controllers via Server Manager:
Now you gotta set some permissions so that the computers are allowed to save TPM ownership info to the directory. For this, open Active Directory Users and Computers, right click your domain root, select Properties, go to the Security tab and click Advanced. There you’ll see a whole bunch of ACEs (Access Control Entries), from which you gotta find the one assigned to the SELF principal and applies to Descendant Computer objects (most likely you’ll have only one).
Edit this entry, and scroll down until you find the checked
Write msTPM-TpmInformationForComputer entry. All you gotta do is check the
Write msTPM-OwnerInformation entry, too, then click OK.
Don’t worry if the checkbox won’t actually get checked coz all that will happen is you’ll get a new entry with this permit.
Create a new GPO (Group Policy Object) for BitLocker settings, set security filtering to Domain Computers (or whatever computer group you want) and link it to an OU that contains a test computer. Now you need to configure the following:
It’s really simple. Just open File Explorer and right click the OS drive and select Turn on BitLocker.
Then proceed with a system check and creating a startup key. After you reboot, it’ll put a .BEK file on your thumb drive (this is the key you’ll use to unlock the computer at startup) and start to encrypt your drive, but you’re free to reboot at any time, it’ll continue where it left off. Make sure to encrypt the OS drive first, otherwise you won’t be able to auto-unlock data drives.
Also keep in mind that BitLocker’s only available in Windows 8 Pro and Windows 7 Ultimate or Enterprise. It is not available in Windows 7 Pro.
Remember, you don’t need to backup your thumb drives used for startup because the recovery keys are automatically backed up to AD when BitLocker’s turned on. Just open the properties of the appropriate computer object and go to the BitLocker Recovery tab.
If you don’t know which computer it is, just right click on your domain root and click Find BitLocker recovery password where you can find the recovery key by the first few digits of the password ID shown to you by the computer at startup.
If you want to replace a missing/damaged startup key, start the computer with this recovery password, then in an elevated command prompt:
Tags: active directory, ad, bitlocker, fde, full disk encryption, tpm, trusted platform module, windows server 2012 r2
manage-bde -protectors -delete C: -type externalkey manage-bde -protectors -add C: -startupkey