Applied GPO for Bitlocker configuration & several computers started self-encrypting? RRS feed

  • Question

  • This is a tough one.  I enabled a GPO on a 2012R2 domain for Bitlocker settings only(default folder for recovery key, store recovery information in AD, etc.)  Then a few days later I noticed a few dozen computers(1% of total targeted) had recovery information in AD, but no one in IT at the company had enabled it on those computers. All the Bitlocker recovery keys had dates that came within the few days the GPO was being applied, and if I looked in the logs of the computers at the time of the recovery keys beings stored in AD I can see event 774 - "Bitlocker was resumed on volume c:".  I am sure there were hundreds of reboots during that time so I do not think that reboots were the cause of the self-encrypting, etc., but does anyone have any ideas on possibilities of how computers might have self-encrypted?  

    My only guess is that the computers might have already had encrypted drives and when they pulled the policy they then backed up their keys to AD?  Not even sure if computers will backup the recovery key retroactively if drives are already encrypted, but if anyone has any ideas I really would appreciate it.



    Thursday, June 6, 2019 2:46 PM

All replies