BitLocker GPOs in Windows 7

BitLocker GPOs in Windows 7

Although there is a GPO "Store BitLocker Recovery information in Active Directory Domain Services", this will not work for Windows 7.
For Windows 7, the policy should be configured under the Operating System Drive, Fixed Data Drive, and Removable Data Drive nodes.

Also, some of the options to specify a PIN+TPM policy are not so easy to understand, so I will post what I have learned from my own experiences.

For a TPM+PIN policy, the following options should be selected:

Configure TPM Startup: Do Not Allow TPM
Configure TPM startup PIN: Require startup PIN with TPM
Configure TPM startup key: Do not Allow
Configure TPM startup key and PIN: Do not Allow

Addition:
To store the BitLocker recovery information in the computer account in the ADS you need to delegate the necessary right to the OU the computers are in.
Please refer to this article:
http://blogs.technet.com/b/askcore/archive/2010/03/30/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx

Leave a Comment
  • Please add 7 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Carsten Siemens edited Revision 7. Comment: Fixed typo and added tag: has comments

  • Jiří Janata edited Original. Comment: mistyped character

Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Jiří Janata edited Original. Comment: mistyped character

  • useful, thanks

  • Carsten Siemens edited Revision 7. Comment: Fixed typo and added tag: has comments

Page 1 of 1 (3 items)