Hey everyone! I'm curious about how you handle configuring BitLocker in an on-prem Active Directory environment when most of the machines already have manufacturer encryption enabled. My experience with BitLocker rollouts has been pretty solid, but this new client has loads of machines that rely on that manufacturer encryption, which doesn't use protectors and forces users to join either Azure or a personal O365 account. So far, my past approach involved turning off BitLocker entirely on selected machines to let the AD policy take control and ensure recovery keys were saved to AD, but that's not an option here. I'm limited to using PowerShell and Group Policy. Any advice or scripts you could share would be greatly appreciated! Thanks!
1 Answer
I wrote a PowerShell script for this kind of situation. It checks that encryption is applied using an approved cipher, ensures a TPM key is enabled on the OS drive, enables auto-unlock for fixed drives, and also backs up the recovery passwords to both AD and AAD. One tricky part was filtering out removable USB storage. I set the script to run as a compliance check in SCCM, which handled around 99% of common issues due to its self-healing nature.
That's similar to what I'm trying to do. I've got a reference script for Azure AD, but some parts don’t work with my setup, so I'm modifying it and hoping to find a better version that fits.