This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A Bit Confused About Group Policy

Hi All,

I am currently deploying Bitlocker Encryption for my Windows 10 laptops, and I thought all was going well. I have a policy in Sophos Encryption that enforces encryption and requires startup authentication, I assign a license to the laptop, then add it to the policy.

This appears to work quite well, the user gets prompted to kick off the encryption process with a "pin" and after a reboot all is well. The most recent laptop however apparently did not ask the user for a password but is encrypted by TPM only. 

On looking at the forums for similar problems the usual answer is to check the Bitlocker settings in Group Policy, but I have not configured group policy for Bitlocker as I thought the way I was deploying it did not require it.

My 2 questions are: 1. Do I need to use group policy? 2. How do I rectify the TPM only encryption issue with this one laptop?

All laptops and PC's have pretty much the same setting applied to them via Group Policy in the Domain.

 

Regards,

 

Colin



This thread was automatically locked due to age.
Parents
  • Hi Colin - It may be the laptop is hybrid and you have conflicting GPO's set that prevent applying the TPM AND PIN policy.

    This is normally by design, and not a mistake. Early Surfaces and other tablet manufacturers didn't used to support a keyboard at boot (you may remember some devices had to use the volume buttons to control UEFI/BIOS)

    So - If you set a PIN on this device - You'd have no way to type it in when the PC booted! Unless you had a USB keyboard too hand?

    If the PC DOES support its keyboard at boot you could "force" the PIN option by using the following at an elevated command prompt (without the quotes)

    "manage-bde -protectors -add c: -TPMAndPIN"

     

    GPO's ARE needed as well as Sophos policies, you need them to set policies such as this and also to prevent the recovery key backing up into AD (As Sophos is now backing up this keuy for you)

  • Hi Michael,

    Unfortunately your answer just adds to my confusion, let me explain why. I deployed 2 identical laptops, same OS same default GPO settings (no specific Bitlocker settings) same OU etc. I then allocated an encryption license in Sophos and moved them into my Encryption group in Sophos, one user was asked for a password before encryption (the expected behaviour) and now shows as TPM and PIN. The second user was not prompted for a password is but shows as TPM only.

    I have deployed encryption on 14 Windows 10 devices now (without specific Group Policy settings) and this is the only time this has happened.

    Regards,

     

    Colin

  • Hi Colin - A little confused why you're applying individual licences, have you not applied your keys to the server to manage for you? I'd want to have this more automated to be scalable? You could always create a "Encrypted" OU and apply the policies directly to that? That way the PC would just have to be a member of that OU to be automatically encrypted and also have the policies applied?

    Are these new laptops Colin with SSD? Are these drives self-encrypting?

    Many new devices will now come with encrypting drives that are in a 99% state of completion, normally they just need to back up their numeric password (recovery key) and they're done. 

Reply
  • Hi Colin - A little confused why you're applying individual licences, have you not applied your keys to the server to manage for you? I'd want to have this more automated to be scalable? You could always create a "Encrypted" OU and apply the policies directly to that? That way the PC would just have to be a member of that OU to be automatically encrypted and also have the policies applied?

    Are these new laptops Colin with SSD? Are these drives self-encrypting?

    Many new devices will now come with encrypting drives that are in a 99% state of completion, normally they just need to back up their numeric password (recovery key) and they're done. 

Children