none
Choosing how to unlock this drive option in Bitlocker RRS feed

  • Question

  • We've deployed Windows 7 to a handful of notebooks using the Microsoft Deployment Tookit. During the deployment we utilized the "Enable Bitlocker" step in our Task Sequence. We chose to encrypt the OS drive using TPM only. We also chose to create the recovery key in Active Directory. This worked like a charm for us and the keys were successfully stored in Active Directory.

    When we fire up one of the notebooks and choose to Turn on Bitlocker on, say a D: drive, we're presented with a "Choose how you want to unlock this drive" option. Either use a password, a smart card or Automatically unlock this drive on this computer. Why wasn't this an option when we were deploying Bitlocker?

    The next dialog asks us how to store the recovery key. There's no option to choose Active Directory. Is that because we've already encrypted our OS drive and saved the key to Active Directory?

    Thanks in advance for any help with my questions.


    Orange County District Attorney
    Wednesday, February 1, 2012 9:10 PM

Answers

All replies

  • Hi,

    Regarding the methods encryption of Bitlocker, you could deploy the Bitlocker policies via Group Policy.

    http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx 

    http://windows.microsoft.com/en-US/windows7/What-Group-Policy-settings-are-used-with-BitLocker

    Regarding your second question, recovery information (such as recovery passwords) will be automatically backed up to Active Directory whenever this information is created and changed if the "Store Bitlocker information in Active Directory policy" is deployed.

    Juke Chou
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Juke Chou

    TechNet Community Support

    Thursday, February 2, 2012 9:40 AM
    Moderator
  • Hi,

    Any update?


    Juke Chou

    TechNet Community Support


    Monday, February 6, 2012 9:43 AM
    Moderator
  • Hi,

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Juke Chou
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Juke Chou

    TechNet Community Support

    Thursday, February 9, 2012 10:08 AM
    Moderator
  • Hello Juke,

    For some reasons I don't get alerts when there are posts in some forums, I apologize for this.

    I've got the Group Policy set correctly for our BitLocker-enabled systems. There doesn't seem to be a way, however to encrypt a drive, from the GUI and avoid the "Choose a way to unlock this drive" dialogue. The systems are configured via Group Policy, to save their keys in AD and that's enough for us.

    We did find a way to avoid these dialogues by just running manage-bde.exe. This allows us the flexibility to just encrypt the drive and let the keys get saved in AD.


    Orange County District Attorney

    Thursday, February 9, 2012 3:15 PM