BitLocker implementation in AD, replacing existing 3rd party encryption

%3CLINGO-SUB%20id%3D%22lingo-sub-966827%22%20slang%3D%22en-US%22%3EBitLocker%20implementation%20in%20AD%2C%20replacing%20existing%203rd%20party%20encryption%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-966827%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3EWe%20need%20to%20deploy%20BitLocker%20in%20AD%20environment%20on%20Windows%2010%20180x%20versions%20systems.%3CBR%20%2F%3EPreviously%2C%20the%20disks%20on%20the%20laptops%20were%20encrypted%20with%20some%20other%203rd%20party%20product.%20The%20end-goal%20is%20basically%20replace%20this%20product%20with%20BitLocker%20and%20provide%20the%20same%20functionality%20as%20before%3A%3CBR%20%2F%3EUser%20boots%20up%20his%20laptop%20directly%20to%20the%20OS%20login%20prompt%20without%20any%20prompts%20for%20additional%20security%20such%20as%20PIN%20or%20smart%20card%20during%20boot.%20In%20exact%20the%20same%20manner%20it%20is%20working%20with%20exiting%203rd%20party%20product.%3CBR%20%2F%3EIn%20order%20to%20prepare%20the%20environment%20for%20deployment%20of%20Bitlocker%20we%20have%20decrypted%20the%20disks%20on%20several%20test%20machines%2C%20created%20GPO%20to%20store%20the%20corresponding%20BitLocker%20data%20in%20the%20AD%20as%20well%20as%20with%20some%20other%20settings.%20If%20required%20I%20can%20share%20all%20the%20corresponding%20details.%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20running%20Get-TPM%20I%20see%20the%20following%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F152081i802B2444D620109C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%221.jpg%22%20title%3D%221.jpg%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20we%20able%20to%20start%20encrypting%20the%20disk%20at%20this%20point%20in%20time%3F%3CBR%20%2F%3EIs%20there%20anything%20else%20we%20need%20to%20take%20into%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20try%20to%20enable%20encryption%20using%20the%20following%20command%3A%3CBR%20%2F%3E%3CSTRONG%3EEnable-BitLocker%20-MountPoint%20%22C%3A%22%20-TpmProtector%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20getting%20the%20following%20error%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F152105i5A262BFFCE090E3E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222.jpg%22%20title%3D%222.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20bring%20up%20tpm.msc%2C%20I%20see%20the%20following%20options%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F152107iE2354E26C9238C4D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%223.jpg%22%20title%3D%223.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIt%20seems%20that%20I%20need%20to%20initialize%20it%20first%2C%20followed%20by%20running%20the%20encryption%2C%20am%20I%20assumption%20is%20correct%3F%3CBR%20%2F%3EIf%20so%2C%20is%20that%20possible%20to%20do%20this%20completely%20remote%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello,
We need to deploy BitLocker in AD environment on Windows 10 180x versions systems.
Previously, the disks on the laptops were encrypted with some other 3rd party product. The end-goal is basically replace this product with BitLocker and provide the same functionality as before:
User boots up his laptop directly to the OS login prompt without any prompts for additional security such as PIN or smart card during boot. In exact the same manner it is working with exiting 3rd party product.
In order to prepare the environment for deployment of Bitlocker we have decrypted the disks on several test machines, created GPO to store the corresponding BitLocker data in the AD as well as with some other settings. If required I can share all the corresponding details.

When running Get-TPM I see the following:
1.jpg 

Are we able to start encrypting the disk at this point in time?
Is there anything else we need to take into account?

 

When I try to enable encryption using the following command:
Enable-BitLocker -MountPoint "C:" -TpmProtector

I'm getting the following error:
2.jpg

 

When I bring up tpm.msc, I see the following options:
3.jpg


It seems that I need to initialize it first, followed by running the encryption, am I assumption is correct?
If so, is that possible to do this completely remote?


Thank you.

0 Replies