This is how you deploy Bitlocker and make everyone fall in love with you.
1. Don’t understand Bitlocker – and read some generic Microsoft guideline which provides you with a generic approach and doesn’t compensate for your lack of understanding
2. Don’t read Adams detailed walk-through, and in particular skip the section regarding PCR Settings if you are deploying this in a pre-Windows 10 / SecureBoot era.
(or the gist: enable PCR validation: 0, 1, 8, 9, 10, & 11 only for legacy BIOS)
3. Really don’t make an effort to push this forward to a SecureBoot era where the annoyance for all users are minimal.
4. Don’t validate any hardware – any BIOS-versions, TPM versions or anything that could potentially have an impact on the experience of Bitlocker.
5. Don’t test anything and just assume that it works as all the guidelines that say you “must” do this will never have any negative impact (and is there a section which says impact? don’t read it)
(Interactive logon: Machine account lockout threshold should match your account lockout setting and also not be as low any given user will force the machine into recovery mode every single day)
6. If the a user is forced to provide a Bitlocker Recovery Key – don’t reset the platform validation data. Most likely the Bitlocker Recovery key will not show up during the next reboot.
7. Make sure you configure stuff – especially things that contradict the initial setup state of Bitlocker. Future assumptions made by Microsoft will surely not impact you.
8. Sighs. Why? This seems to be required if using the Machine Account lockout threshold….
“Windows Settings” – “Security Settings” – “Local Policies/User Rights Assigment”
“Access this computer from the network” – “BUILTIN\Administrators” – append: “NT AUTHORITY\Authenticated Users”