Choosing how to unlock this drive option in Bitlocker
We've deployed Windows 7 to a handful of notebooks using the Microsoft Deployment Tookit. During the deployment we utilized the "Enable Bitlocker" step in our Task Sequence. We chose to encrypt the OS drive using TPM only. We also chose to create the recovery
key in Active Directory. This worked like a charm for us and the keys were successfully stored in Active Directory.
When we fire up one of the notebooks and choose to Turn on Bitlocker on, say a D: drive, we're presented with a "Choose how you want to unlock this drive" option. Either use a password, a smart card or Automatically unlock this drive on this computer. Why
wasn't this an option when we were deploying Bitlocker?
The next dialog asks us how to store the recovery key. There's no option to choose Active Directory. Is that because we've already encrypted our OS drive and saved the key to Active Directory?
Thanks in advance for any help with my questions.Orange County District Attorney
February 1st, 2012 4:10pm
Hi,
Regarding the methods encryption of Bitlocker, you could deploy the Bitlocker policies via Group Policy.
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx
http://windows.microsoft.com/en-US/windows7/What-Group-Policy-settings-are-used-with-BitLocker
Regarding your second question, recovery information (such as recovery passwords) will be automatically backed up to Active Directory whenever this information is created and changed if the "Store Bitlocker information in Active Directory policy" is deployed.
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 4:40am
Hi,
Any update?
Juke Chou
TechNet Community Support
February 6th, 2012 4:43am
Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply
this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 5:08am
Hello Juke,
For some reasons I don't get alerts when there are posts in some forums, I apologize for this.
I've got the Group Policy set correctly for our BitLocker-enabled systems. There doesn't seem to be a way, however to encrypt a drive, from the GUI and avoid the "Choose a way to unlock this drive" dialogue. The systems are configured via Group Policy, to
save their keys in AD and that's enough for us.
We did find a way to avoid these dialogues by just running manage-bde.exe. This allows us the flexibility to just encrypt the drive and let the keys get saved in AD.Orange County District Attorney
February 9th, 2012 10:15am