Looking for advice on Bitlocking mobile windows devices with Domain recovery agent.

I have a 2008 functional level domain, we'd like to enable BitLocker on all Windows laptops backing up the passwords and recovery info to AD DS, and requiring TPM + PIN.  It'd be awesome if we could push this out via GPO as well.

I've done limited tests in with a few vm's and a couple physical laptops with little success.  Looking for any advice, tips/tricks, etc.

All laptop OS's are Win7 Enterprise, and all hardware has supporting TPM on-board.
LVL 14
Ben HartAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi again.

It would be nice to see what you did and what didn't succeed.
The process is documented at Microsoft's Technet on various sites and I am pretty sure a TPM-based bitlocker "rollout" will run pretty well, though I never did one, I used it on win8.1 and not with TPM but with passwords (which is not possible on 7, by the way).

So please expand the description of the process.
0
Ben HartAuthor Commented:
Ok I don;t have the sources of this anymore :(  But what I did was I created a test OU, disabled inheritance, and created a new GPO that made admin template change towards the recovery keys and copied two vbs files to the users desktop and I believe it ran them.  I've attached reports off both of the GPO's I created for this.
Enable-BL.htm
Install-net4.5---WMF-4.htm
0
Ben HartAuthor Commented:
McKnife how was BT rolled out in your env?
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

McKnifeCommented:
We set the policy to require AD backup of keys before encryption (which in fact enforces automatic key backup) and set the GPO to allow additional startup keys, so tpm would not be necessary. Then we used a manage-bde.exe script inside our startup script that set a random password and created a .bek file (Bitlocker encryption key file) that we could save to a usb key (all users got such a usb key). We handed out the keys to users so they could start the computers on their own. Then, they were told to use another script (metro desktop link) that they should feed their domain password. The script would
A set this one the BL password
B setup autologon using the same password so we could have single sign on (even though it is faked).

Edit: ah, and we required 256-bit-AES using GPOs.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben HartAuthor Commented:
What do you do if a user loses their usb key?  They have to have the key plugged in at boot correct?
0
McKnifeCommented:
No, I forgot to mention, the script they initially used to set a password would destroy the usb protector, so they could no longer use it. We would not like to see the keys being left plugged in...
0
Ben HartAuthor Commented:
Here's the two vb script files Ive got that are supposed to enable Bitlocker and TPM.
EnableBitLocker.vbs
enable-bitlocker-notebook.vbs
0
McKnifeCommented:
If they are from MS, they should of course work... please let us know the complete output.
0
McKnifeCommented:
Tomorrow I might be able to give you a solution. We have just acquired a single laptop that needs BL with TPM.
0
Ben HartAuthor Commented:
Sweet! I look forward to it.
0
McKnifeCommented:
Funny... that TPM just didn't want to play with me, today. But that had nothing to do with scripting abilities or even scripting at all. Had to disable it altogether in order to use bitlocker. With TPM activated and prepared, I got "The system cannot find the file specified" - whatever file that should be.

So I am sorry, but I cannot try it today, maybe in a few weeks again. Would like to try it, but in virtual test environments, I can't, because those still cannot emulate a TPM chip.
0
Ben HartAuthor Commented:
The vm's I will use to test are on my desktop.. HP Z230 which has a TPM on-board.  Would you mind shooting me your scripts for comparison?
0
McKnifeCommented:
Like I said, VMs cannot use Tpm chips.
I have no scripts for tpm setups.
0
Ben HartAuthor Commented:
Hmm that's unfortunate.  I do not want to manage a barrage of usb keys.. nor smartcards.  I assumed TPM + PIN would be the easiest for the users to handle.
0
McKnifeCommented:
Yes it is.
So please look into either simple scripting (manage-bde.exe) or let that script you already have log its errors to a file so we can discuss them.
0
Ben HartAuthor Commented:
I'm posting here to keep my question active while I test a couple things out on this script.
0
Ben HartAuthor Commented:
McKnife.. What OS are your clients running? What functional level is your domain? And are you backing up Bitlocker info to DS?
0
McKnifeCommented:
OS: win8.1 pro
funct. level: 2008
Backup to AD: yes
0
Ben HartAuthor Commented:
OK first off my apologies for letting this expire like it did.  Is my issue resolved?  No.. not even close.  But due to the extreme clean up efforts at EE I am forced to do something with this question.  I do not and have never agreed with how stringently Admins push for question closure... as if all posters here have nothing to do at work but sit here and closely monitor a question until it's completion.  Which in my experience can take weeks.

But whatever.. I chose to pay for this service including it's stupidly strict rules.  So I will close a question that HAS NOT been resolved because I lack the time to complete it and thus keep the illusion going that everything in EE is always answered correctly because there is no way to award Experts for helping other than saying they solved your problem.
0
Ben HartAuthor Commented:
My issue is not resolved, I am closing this question and giving points to McKnife because he was the only one who tried helping.
0
McKnifeCommented:
Hi Ben.

I fully agree on your comment/complaint. Only thing: there are many people that neglect to come back to their questions and that's why some urge to feedback/close is being used. Because for helpers it is extremely complicated to remember what that thread is about even after 1 week or so. Within a week, I participate in maybe 100 questions...
0
Ben HartAuthor Commented:
I've been in the same boat man.  It's just stupid that I have to choose a solution to a problem that at that time has no solution.  I know the benefits of the rules and the cons very well.. do I know an alternative?  Not really.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.