GPO Settings:
- Open "Group Policy Management".
- Navigate the the GPO that's linked to the OU that you want to contain your settings for Bitlocker.
- Right click on the GPO and select "Edit"
- Navigate to Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption.
- Double Click on "Store Bitlocker Recovery information in Active Directory Domain Services" and configure it as follows:
- click ENABLE
- check the box "Require Bitlocker Backup to AD DS"
- Click "OK".
- Under Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption, click on the appropriate folder for your configuration. (Operating System Drives, Fixed Data Drives, or Removable Data Drives)
- Double click on "Require additional authentication at startup" and configure your settings as follows:
- click ENABLE
- Check the box, "Allow Bitlocker without a compatible TPM (if there are computers in the domain without TPM chips that require protection)
- Under Configure TPM, select Allow TPM
- Under Configure TPM with pin, select Allow Startup PIN with TPM
- Under Configure TPM startup key, select Allow Startup key with TPM
- Under Configure TPM Startup key and PIN. select Allow Startup key and PIN with TPM
- Click "OK".
- Double click on "Choose how Bitlocker-protected operating system drives can be recovered" and configure it as follows:
- check the box, "Allow data recovery agent"
- select allow 48 -digit recovery password and allow 256-bit recovery key from the two drop down lists
- check the box "Save Bitlocker recovery information to AD DS..."
- select "Store Recovery password and key packages" from the drop down list
- check the box "information is stored to AD DS for operating system drive
- Click "OK".
- Navigate to Computer Configuration->Policies->Administrative Templates->System->Trusted Platform Module and set "Turn on TPM backup to Active Directory Domain Services" to "Enabled".
- Click "OK".
If a machine has already been encrypted prior to the Group Policy being enforced, you can force it to store its information in Active directory by opening up powershell and typing:
manage-bde -protectors -get c: to get its bitlocker information and then typing manage-bde -protectors -adbackup c: -id '{<numerical password ID>}'