Take a look here: https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx
Your GPO looks right (comparing to mine), but you do have to make some security changes in AD so that the computer has the necessary permissions to save the Bitlocker key in AD. DAMIEN SOLODOW IT Engineering Lead 317.447.6033 (office) HARRISON COLLEGE From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Friday, December 8, 2017 2:29 PM To: ntsysadm <NTSysADM@lists.myitforum.com> Subject: [NTSysADM] Still stumped by bitlocker If anyone cares to comments on this, I'd appreciate it. I'm working on an older laptop with a TPM 1.2 chip (Dell Latitude E6530). I've tried with PPI provision and PPI deprovision both selected and deselected, with no difference in my results. I've reset the chip multiple times, with the following results: After resetting the chip, if the computer is in an OU with no GPOs, and I reboot a couple of times so that there are no applied GPOs, I can use the following command, and it starts encrypting just fine: "enable-bitlocker C: -SkipHardwareCheck -TpmProtector" If I clear the TPM chip (either in BIOS or through tpm.msc) and put the computer in my test OU with the GPO, it does three things: - A first reboot, nothing happens. No errors, and bitlocker doesn't start - At second reboot, if PPI Provision/Deprovision are deselected, it gets an error with the run of the startup script: [Inline image 2] - At second reboot, if PPI Provision/Deprovision override are selected, I do not see the popup error above, but bitlocker stil doesn't start. In all cases after reboot while the GPO is applied, if I run the enable-bitlocker command above, I get the following: [Inline image 1] After resetting the TPM chip, I do see a lot of TPM and TPM-WMI event log entries, one of which indicates that the system is taking ownership of the chip (eventID 1027 TPM-WMI). This is the relevant portion of the output from "gpresult /h" - I've had the "Allow data recovery agent" in both states, enabled and disabled, with no difference in the results: [Inline image 3] Kurt