This last part in this series gives you some valuable tips when running BitLocker in an Active Directory environment.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

BitLocker, like any other new technology, is a lot of trial and error. Here are the things I’ve learned using BitLocker that will hopefully help you out:

Test, test, test ^

I think, I encrypted my two test systems about 20 times each before I got comfortable with BitLocker. You may also want to consider making the IT staff that will be supporting BitLocker encrypt their own laptops as part of your pilot. The quickest way to identify issues is to use the technology yourself on a daily basis.

Backup, backup, backup!!! ^

Always, always, always, make sure you have a backup of a drive before you encrypt it with BitLocker. Always, always, always, make sure you keep a backup of data that resides on BitLocker encrypted drives. If you’re not using Folder Redirection and Offline File or running a some kind of third-party backup software on your clients, now is the time to investigate before encrypting your data. If you’ve got mobile users, you’re hopefully doing this already.

IT Training ^

Like I said before, I highly advise "dog fooding" of technology. If you’re going to support the technology, you need to know it inside and out. What better way to get to know the product than by eating your own dog food? In addition, you’ll need to make sure that the process to give a 48-digit recovery key to an end user is documented for your Help Desk or normal support staff. If you have a user that is on the road that needs a recovery password, they are already potentially going to be in a bad mood. The last thing you want is for the person answering the phone to not know the procedure to get that user the recovery password they need.

User Training ^

Not only is this something new for you, but it will definitely be new for your users. With BitLocker, especially if you’re using the Microsoft Best Practices, end users are going to need some additional training. Someone on your IT staff will need to take the time to sit down with each user that will be receiving a BitLocker encrypted system to explain why their device is being encrypted, how to enter their PIN, and why they shouldn’t write down their PIN anywhere near their encrypted system. You’ll also need to make sure that your users know what process they need to use to receive a recovery key should their system require it. If you don’t already, you may want to consider putting contact information for your Help Desk or IT group either on a label on your computers or on a card in users’ laptop bags.

Securely Document user PINs ^

If you think you have users that won’t be able to remember their PIN numbers, document PIN’s when the laptop goes out the door with BitLocker enabled. You’ll thank me later when you can give them just their PIN over the phone instead of the 48-digit recovery key.

When should you encrypt? ^

In a perfect world, right after the system is imaged and before it is assigned to the user. Both SCCM (System Center Configuration Manager) and MDT (Microsoft Deployment Toolkit) support BitLocker encrypting a system as part of the OS deployment process. It may be possible to read data from encrypted SSD drive using a wear-leveling algorithm, but I can’t say that I’ve seen it used out in the real world.

What should you encrypt? ^

Well, what is your company’s liability if you lose a device? Which employees have access to your company’s sensitive data? How do you know if an employee is storing sensitive data? Ask these kinds of questions of your organization’s leadership and you’ll have the answer to what you need to encrypt. My advice: if you’re not sure, encrypt it… Better safe than sorry.

Docking Stations ^

If you’re going to be BitLocker encrypting the OS Drive of laptops, make sure you know whether or not the laptop will be using a docking station. Make sure that the laptop is configured to use just the local hard drive as a boot device for booting both with the dock and without the dock. If the boot order changes on the laptop (for example when the user undocks the laptop), your user will be prompted for the 48-digit recovery key at boot. Setting the boot order to local hard drive only for both docked and undocked will resolve this issue. Also consider password protecting the BIOS on systems with docking stations if you believe that the startup options might be tampered with.

System configuration changes ^

Suspend BitLocker before making major system configuration changes. If you need to update the BIOS, modify the boot order, or any other major changes, suspend BitLocker first or you may be prompted for the 48-digit recovery key.

Troubleshooting ^

Error message: A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found. Please contact your system administrator to enable BitLocker.

BitLocker error message - A TPM was not found

A TPM was not found

This is caused by either the system not having a TPM or the TPM not being enabled. Refer to your system’s documentation on how to enable the TPM.

Error Message: This computer requires a startup option that isn’t supported by BitLocker Setup. Please contact your system administrator to enable BitLocker.

BitLocker error - Startup option that isn’t supported by BitLocker setup

Startup option that isn’t supported by BitLocker setup

If you see this one, it is usually caused by having more than one required option for additional authentication for an OS Drive at startup.

You can’t require more than one startup type. In your GPO, go to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating system drives, Require Additional authentication at startup. Set to enabled and require the use of a startup PIN with a Trusted Platform Module (TPM).

BitLocker - Require additional authentication at startup

Require additional authentication at startup

Error Message: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.

BitLocker Error - Group Policy settings for BitLocker startup options are in conflict and cannot be applied

Group Policy settings for BitLocker startup options are in conflict and cannot be applied

Like the previous error, this is usually caused by incorrect settings in the Require additional authentication at startup option. The error can be caused by having no required or allowed startup options:

BitLocker error - No required or allowed startup options

No required or allowed startup options

Or, by having a Required startup option and an Allowed startup option:

BitLocker error - Required startup option and an Allowed startup option

Required startup option and an Allowed startup option

To resolve the issue, go to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating system drives, Require Additional authentication at startup. Set to enabled and require the use of a startup PIN with a Trusted Platform Module (TPM).

Require additional authentication at startup and require the use of a startup PIN with a Trusted Platform Module (TPM)

Require additional authentication at startup and require the use of a startup PIN with a Trusted Platform Module (TPM)

Do you have other tips when running BitLocker in an Active Directory environment? Please leave a comment!

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
5 Comments
  1. Bob 7 years ago

    Thank you for your post,after configuring the GPO i was getting this error on the client. It worked just as I had hoped. Now just to figure out what I am doing wrong that I can't see anything on MBAM server.....

    0

  2. Jesper 7 years ago

    Great article

    I am using this in my test environment right now.

    If I can make a request, I would love an article on how to setup Bitlocker to use AD CS PKI.

    Best regards
    Jesper

    0

  3. Anthony 7 years ago

    I've spent the last 2 days unsuccessfully dealing with group policy configuration conflicts, I must thank for your tutorial, excuse me while I go on a mountain retreat to meditate on how to become a better Microsoft customer

    0

  4. Compliment 2 years ago

    Your The Best!
    You Saved me from Hours of strugle 😀

    0

  5. cojkib 3 months ago

    What's the difference between

    1. Configure TPM startup: "Do not allow TPM"
    2. Configure TPM startup PIN: "Require startup PIN with TPM"
    3. Configure TPM startup key: "Do not allow startup key with TPM"
    4. Configure TPM startup key and PIN: "Do not allow startup key and PIN with TPM"

    and

    1. Configure TPM startup: "Do not allow TPM"
    2. Configure TPM startup PIN: "Allow startup PIN with TPM"
    3. Configure TPM startup key: "Do not allow startup key with TPM"
    4. Configure TPM startup key and PIN: "Do not allow startup key and PIN with TPM"

    or more general, what's the difference between the relaxed "Allow" and the strict "Require"?

    Thanks!

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account