We have decided to encrypt our harddrives on our upcoming Windows 8.1 environment using BitLocker.
I had no previous experience with BitLocker, so I started out reading and learning and eventually got it to work. All the necessary information was spread across several TechNet articles, so I decided to put together a post explaining how I did it.
1) Fortunately for me, our domain is running on 2012 servers, so no need to extend the AD schema. You have to though, if you’re running 2003 domain controllers. Here’s something about the topic on TechNet: http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx#BKMK_3
2) What I had to do instead, was to verify that the schema objects was there, and delegate the correct permissions on the OU where my new Windows 8.1 computers are going to be. This is explained in details on TechNet as well. Here: http://technet.microsoft.com/en-us/library/dd875533(v=ws.10).aspx and here: http://technet.microsoft.com/en-us/library/jj592683.aspx#BKMK_addscons
3) Further to that, I configured BitLocker policy settings for the Windows 8.1 clients, enabling the TPM chip to backup BitLocker recoverykeys into AD. These are the exact policies that I apply to my Windows 8.1 OU:
- Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Modul Services:
- Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption:
- Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives:
4) Configuring the task sequence in ConfigMgr was pretty straightforward. 2012 SP1 has added support for pre-provisioning of BitLocker, which means SCCM will start encrypting the disk right after partitioning of the disks, and will be done with the image. Make sure the steps are exactly as on the picture.
5) Finally I installed the BitLocker Drive Encryption Administration tools on my DC’s, which enables me to view the BitLocker recoverykeys on the computer objects in AD.
6) Deploy the task sequence to the proper collection, and make sure the TPM chip is enabled in BIOS and you are set. (You can enable the TPM chip from within the task sequence using a script provided by Lenovo. I will update this post on how to do that ASAP. Download the scripts here: http://support.lenovo.com/en_US/downloads/detail.page?&LegacyDocID=MIGR-68488