Bitlocker Step by Step guide


Can anyone point me in the direction of a good Bitlocker rollout guide?

We are a Server 2012 domain with mainly Windows 7 clients (and a handful of Windows 8) and mainly TPM hardware (but a few that aren't).

We want to use Bitlocker solely for drive encryption on client devices that are going out of the building and running Direct Access.

We have manually encrypted a few and stored the keys but we want to do this automatically and I am really struggling to find some good documentation about the process.  There seem to be a lot of pages on the Microsoft site, but a lot of the advice seems to be conflicting so I am really looking for a good step-by-step guide about how to roll Bitlocker out across the domain and automatically store the encryption keys in Active Directory.

I found this:-

However, it seems to be quite dated (talks about Windows Longhorn) and so I am not convinced it is particularly current.

I have also found these sections:- (seems to only apply to Window 8 and not Windows 7) (seems to only apply to Server 2008 and not Server 2012)

Can anyone point me in the direction of any more relevant documentation than this?

Surely I can't be the only person trying to do this with Windows 7 and Server 2012?

Any pointers or clearer documentation would be appreciated!

FriendlyITInfrastructure TeamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You seem to be using Win 7.  Bit Locker is available only for Windows 7 Ultimate or 7 Enterprise (and higher versions of Windows (like Win 8.1)).
Here is a tutorial for Bit Locker, but it will only be useful if you are running these versions of Win7.
First step back from trying to follow a manual without a fully mature concept.
Let me give you some questions, try to answer them and those, you cannot answer, try finding out about the factors involved, do some internet research and then, one by one let's answer them here. Without having an answer to all of those, I would not want to proceed if I were you.

1 What bitlocker functions are there for OS drives as opposed to removable drives?
2 Which of those do I need?
3 Do my OS' offer these functions I need?
4 What is it about a TPM that with default settings, only TPM machines may use bitlocker?
5 What would it mean for security not to use a TPM?
6 What does Bitlocker call a protector?
7 What protectors can I use?
8 Depending on the chosen protector(s) and the rest of the setup, what attack types are still possible and can I live with that?
9 What is MBAM and am I entitled to use it?
10 How could we initiate the encryption and what options are there for it?
11 Who would have access to the protectors and their backup information?
12 How would we backup and restore the encrypted drives' contents?
13 What would we do if someone is unable to start their computer because of OS corruption?
14 What to do if someone cannot start their machine because of bitlocker?
btanExec ConsultantCommented:
The below link which you also shared should be good - do spend some time understanding BL as it is the fundamental of rolling out HDD encryption is the same i.e asset prep, plan out rollout plan, identify authentication means, deployment via central or standalone, leverage of MBAM such as BL related GPO, key provisioning and recovery back up, know about the process for forget password, BL's HDD crashes etc. The higher OS version just added in more features and manageability.

The link below which you shared is good starter - if you see the GPO setting section, the doc also highlight when that setting is introduced - it stated Win7 / Win2K8 R2 where I do not think those material are not relevant. One good doc is also reading thru the BL FAQ which helps too (at least for me ...)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

FriendlyITInfrastructure TeamAuthor Commented:
Thanks for the responses everyone.  So we are going to manually encrypt the drives when we image them, but need to store the decryption data in AD automatically.  We want things to automatically get written to AD when we encrypt the system drive on these devices.  This is the step that I am not clear on.

jcimarron - yes we are using Windows 7 Enterprise - as I mentioned, we have already encrypted some manually which we wouldn't have been able to do if we didn't have a compatible OS.
Thanks for the link but it largely tells me the bit I already know about.

mcknife - thanks for all the questions back - I think we know a lot of this already, but I will have a look down the list.  Are you asking me to give you answers to all of these?  I am not clear on how we get access to MBAM as our environment is IaaS - any guidance?

btan - thanks for flagging that as the most relevant link I posted, however, I still can't see where the information is about setting up the AD stuff I mentioned at the top is?
btanExec ConsultantCommented:
To rollout BL, then better to go into MBAM, Microsoft BitLocker Administration and Monitoring
Specifically need to drill into the deployment aspect and there is a checklist as well, and also to use SCCM to rollout package for pushing the MBAM client installation
Deploy the MBAM Client as part of a Windows deployment

In organizations where computers are received and configured centrally, you can install the MBAM Client to manage BitLocker Drive Encryption on each computer before any user data is written to it. The benefit of this process is that every computer is then BitLocker Drive Encryption-compliant. This method does not rely on user action because the administrator has already encrypted the computer. A key assumption for this scenario is that the policy of the organization installs a corporate Windows image before the computer is delivered to the user. If the Group Policy settings has been configured to require a PIN, users are prompted to set a PIN after they receive the policy.
Overall -
Deploying MBAM client -

Another besides the technet, there is some old sharing but it does help to summary what need to be done

For SCCM - below is a good coverage for Step By Step Guides - System Center 2012 R2 Configuration Manager. There is some mention of BL in case you need ..
"Are you asking me to give you answers to all of these?" - as you like. I am sure one should be able to answer all these questions before starting with anything. So we could help you solve those you cannot answer yourself.
IaaS - what exactly is cloud based? Or what should that mean? MBAM is downloadable by enterprise customers through the volume license center.

About your biggest concern, the AD backup: here's a screenshot. Same to do for OS drives.
FriendlyITInfrastructure TeamAuthor Commented:
We do not use SCCM so that isn't relevant.

I'm still trying to understand if we qualify for MBAM or not?  We have SA on the desktops.  Servers are all VM's in an IaaS environment.  In other words we only have control from the OS up.  They look after the licencing at a server level as it is on their hardware platform.
I think you do. Look at the description of MDOP which features MBAM as well:
btanExec ConsultantCommented:
Sccm is recommended but without it, you can still do it via gpo to rollout bitlocker setting with the admx tmpl to all domain machine. Just that you cannot seamlessly trigger encryption as oversight to all machines. It has to be done manually with script at login etc. Here is an example for bitlocker via task sequence..

For info, SCCM is in no way required, it doesn't even tie into it, it's just a way to deploy the client. You need MDOP
FriendlyITInfrastructure TeamAuthor Commented:
Thanks.  Does look like we have access to MDOP.  I think there is enough information here to be getting on with and I'll open a new question if anything particular crops up that we get stuck with.
btanExec ConsultantCommented:
Thanks for sharing
FriendlyITInfrastructure TeamAuthor Commented:
So after posting another question about this - here is the step-by-step guide we ended up with:-

This is the full working solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.