Below are some screenshots for configuring Bitlocker in both TPM Only and TPM+PIN modes. These policies will also automatically store Recovery Keys in Active Directory in the Bitlocker Recovery tab in Active Directory Users and Computers (ADUC). If you are configuring AD to store Bitlocker recovery keys reference the link in the "Additional Resources" section about verifying your AD schema version.
The policy Interactive Logon: Machine account lockout threshold is set at 10 failed logons and then the machine should reboot into Bitlocker Recovery mode. This helps prevent a brute force attack of the Windows login screen and is definitely a good idea especially when using TPM Only.
Delegating the Right to View Bitlocker Recovery Keys
Note: To view the Bitlocker Recovery tab in ADUC on Windows 7 you may need to add that feature in appwiz.cpl, but it should be viewable on Windows 10 as soon as the GPO is applied.
Additional Resources
http://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/
No comments:
Post a Comment