Disable BitLocker Active Directory Dependency

Let’s imagine that you have a Windows 7 system that was imaged.  Let’s imagine that the image is designed to easily connect to your infrastructure’s domain.  Let’s also imagine that you don’t want to add this particular system to your domain; you just want to use this system for a separate purpose, but save time by using your primary Windows 7 image.  Let’s also imagine that you want this system to have BitLocker enabled.  Your system meet’s all of Microsoft’s BitLocker requirements, but when you try to enable BitLocker, you get a nasty: BitLocker could not contact the domain.  Ensure that you are connected to the network or contact your system administrator error.

At this point, you have done a ton of research on how to turn off the Active Directory dependency for BitLocker, but have yet to find a solution.  Before you jump off the roof of your building, read below as I have your solution:

  1. Open gpedit.msc
  2. Navigate to: Computer Configuration > Administrative Templates > System > Trusted Platform Module Services.
  3. Disable the setting: Turn on TPM backup to Active Directory Domain Services.  This is probably the evil setting that is causing you all the problems.  But, just in case, continue on to the steps below anyway.
  4. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
  5. Disable the setting: Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista).
  6. You may need to disable 1 more setting.  Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
  7. Disable the setting: Choose how BitLocker-protected operating system drives can be recovered.

Once all those Group Policy settings are disabled, your non-domain connected PC should have no (AD related) problems setting up BitLocker.

Share and Enjoy:
  • LinkedIn
  • Facebook
  • Twitter
  • Google Bookmarks
  • Reddit
  • Cliffordcousa

    Hello… I did everything specified in this recommendation and Bitlocker is still giving the error: “bitlocker cannot contact domain” …. is there any other setting that can be applied? Alternately, my computer is connected to a domain – does this overide all other settings in gpedit?


    • slashsarc

      I apologize that the post above didn’t solve your problem. In my instance, my system was *not* connected to the domain, but I was using a domain image. You might be having a problem in that a domain policy is getting pushed such that the local group policy is being ignored.

      Check to see if this post is helpful: http://social.technet.microsoft.com/Forums/en-CA/w7itprosecurity/thread/3a0f02bc-56f7-4b5a-acb2-e13b82f9e200

      • Victor Vee

        Below this setting… Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption.

        There is a setting to

        Control the use of BitLocker on removable drives
        and next (on the left options)
        Allow users to apply BitLocker protection on removable data drives

        When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose “Allow users to apply BitLocker protection on removable data drives” to permit the user to run the BitLocker setup wizard on a removable data drive.

  • Solf

    I have my pc on a domain, and recently y logged in the local network for some work and my pc got security settings updated.
    Now i cannot use a removable drive without encripting it with bitlocker. Trying to remove this y went to gpedit.msc and changed this setting to disabled, but the sistem is ignoring this setting.

    I did this:
    Click Start, Run.
    Type gpedit.msc and press Enter. That triggers a UAC confirmation warning. Click Confirm to continue.
    Drill down to Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption.
    Double-click on Control Panel Setup: Enable advanced startup options, then click on Enabled to enable changes to the policy.

    But the system seems to be ignoring this. How do i revert the active directory changes back locally to let the pc to use a removable drive without encripting it?

    I have adminsitrator rights on the PC.


    • slashsarc

      I’m not quite sure I fully understand. Are you still connected to a domain that is pushing those polices? As long as your PC is connected to a domain that has that policy being pushed, you shouldn’t be able to make changes to your local system’s settings.

      Alternatively, I would examine other systems that are working properly, and try to find differences in the GP settings.

      Good Luck!

Copyright © /sarc All Rights Reserved · Using modified version of Green Hope Theme by Sivan & schiy · Proudly powered by WordPress