How to enable Bitlocker using GPO.
1. Open Group Policy Management Console and create a new Group Policy.
2. Right click on the policy and click Edit; you will see a Group Policy Management Editor window.
3. Expand Computer Configuration à Policies àAdministrative Templates à Windows Components à Bitlocker Drive Encryption.
You should see the below policy options for Bitlocker:
4. The policy we need to configure is: Provide Unique Identifiers for your organization.
5. Under the Fixed Data Drive section; Enable the below two policies as shown below. For more information on each policy refer to the Help tab for each policy.
6. Under the Operating System Drive section: Enable the below three policies as shown below. For more information on each policy refer to the Help tab for each policy.
· Require additional authentication at startup – Set this policy as per your requirement.
Configure TPM Startup; Configure TPM Startup PIN; Configure TPM Startup Key; Configure TPM Startup Key and PIN.
I f you want to use TPM + PIN as the startup type, see screen shot below.
7. Under the Removable Data Drives section: Enable the three policies as shown below. For more information on each policy refer to the Help tab for each policy.
8. Turn on TPM Backup to AD Domain Services.
In Group Policy Management Editor; Expand Computer Configuration à Policies àAdministrative Templates à System à Trusted Platform Module Service
Apply the policy to the specific OU or Domain where on the computers you want to be enable Bitlocker.
Run gpupdate /force on the client machine and run rsop.msc to see if the policies are applied.
No comments:
Post a Comment