Great video, very instructional. Got an odd ball question though, our current network has four separate domain controllers and they all work in parallel. Would installing these features on each domain controller one at a time cause any issues in regards to PC's becoming inaccessible? If we reboot one DC our full domain remains online, though what we're concerned about is if we enable BitLocker backups on one controller and it's out of sync with the others, think it may shut down? Or, is it fine if we install the BitLocker features on each domain controller one at a time? Thanks!
Is it possible to encrypt windows 10 client disks by GPO without having to go the users machine? The video shows the Key controller GPO, but does not show encrypting disks by AD without the need Activate the bitlocker on the users machine. Thank you very much, and i look forward to It.
Video is very helpful i have one query and issue that the above steps are working properly but what we can do for another drives as well. I have tested it for D: drive but in active directory there is only C: drive key is backed up.
I have a small and random case of AD losing bitlocker keys. Is there a way to protect the key from updating to blank or backup of my keys once they are stored or something?
I am unable to get next button even though I’ve followed all your steps. Another thing is I am prompted to save recovery keys in azure AD and I want it to be on premise AD. Please help
have got message during encryption :Fehlermeldung: Die GPO-Einstellungen für BitLocker stehen in Konflikt The GPO settings for BitLocker are in conflict
does the "Require BitLocker backup to AD DS" mean that BitLocker will automatically enable on computers in the OU? I've found that computers are automatically seeming to have BitLocker enable for them. thanks.
Does anyone know how to increase the number of bad passwords before the Bitlocker recovery process starts? It seems to be set to 5 by default but I can't figure out how to change it.
How to lock PC when a user enters an incorrect password several times, that user simply gets locked out of his account. How do you when the user enters the wrong password then goes to bitlocker recovery mode ?
Is that possible to bitlocker key change automatically without reset by manually from client computer? If yes can you plz let me know the process and it can be changed once it being used Plz let us know if any process available
Nice video. Can you create a script or tell us how we can encrypt the OS hard drive... You have told us how to recover the bitlocker viz AD Thanks for sharing that
Open Active Directory Users and Computers snap-in. --> Click the Computers container. --> Right-click on your target computer account and select Properties --> Go to the BitLocker Recovery tab. Here you can view all BitLocker recovery keys that were automatically backed up to AD.
So if I do understand U correctly, this information, that window 10 1607 and above is not storing the Keys in AD although the Setup has been done, is no more accurate?! "For Windows 10 1607 and above: TPM Owner Password is not stored in the AD at all. Even though you can configure GPO on previous operating system (Windows 8/Windows Server 2012 R2) “Turn on TPM backup to Active Directory Domain Services” or registry keys directly on the client machine: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\ActiveDirectoryBackup = 1 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM RequireActiveDirectoryBackup = 1 Windows 10 1607 will ignore these values. Another thing which is worth to mention that GPO Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Turn on TPM backup to Active Directory Domain Services has been removed from ADMX templates in Windows 10 1607 and Windows Server 2016. Thus most of information provided in this article is for pre Windows 10 1607 editions." blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/
Don't enable the GPO "Requires additional authentication at startup". It's only doing this for the demo because he's using a VM. In the real world you'll be encrypting physical machines and they'll authenticate with TPM
Great video, very instructional. Got an odd ball question though, our current network has four separate domain controllers and they all work in parallel. Would installing these features on each domain controller one at a time cause any issues in regards to PC's becoming inaccessible? If we reboot one DC our full domain remains online, though what we're concerned about is if we enable BitLocker backups on one controller and it's out of sync with the others, think it may shut down? Or, is it fine if we install the BitLocker features on each domain controller one at a time? Thanks!
It worked, very helpful, thank you so much for sharing knowledge.
Thank you so much for your video!
Good video.
Thanks!
Thank you very Much Perfect video very Helpful!!!!
Didn't get this part of tutorial. Although I have the GPO configured and applied to the computer, do I have to manually enable BitLocker?
If I want yo use TPM, How will be the additional authentication setup?
Is it possible to encrypt windows 10 client disks by GPO without having to go the users machine? The video shows the Key controller GPO, but does not show encrypting disks by AD without the need Activate the bitlocker on the users machine. Thank you very much, and i look forward to It.
You can push manage bde toolkit to install bitlocker remotely to the domain machine
Video is very helpful i have one query and issue that the above steps are working properly but what we can do for another drives as well. I have tested it for D: drive but in active directory there is only C: drive key is backed up.
I am facing the same issue, did you find any solution?
Thank you 😊
It works.. Thank you!
I have a small and random case of AD losing bitlocker keys. Is there a way to protect the key from updating to blank or backup of my keys once they are stored or something?
This is crystal clear...
Thank you...
I am unable to get next button even though I’ve followed all your steps. Another thing is I am prompted to save recovery keys in azure AD and I want it to be on premise AD. Please help
have got message during encryption :Fehlermeldung: Die GPO-Einstellungen für BitLocker stehen in Konflikt
The GPO settings for BitLocker are in conflict
That will really so much helpful...😘😘
thx for your valuable information video
does the "Require BitLocker backup to AD DS" mean that BitLocker will automatically enable on computers in the OU? I've found that computers are automatically seeming to have BitLocker enable for them. thanks.
Yes. it will be applicable to all computers stored in particular OU.
Does anyone know how to increase the number of bad passwords before the Bitlocker recovery process starts? It seems to be set to 5 by default but I can't figure out how to change it.
i have got only two option after encrypt c: save file recoverykey print. there is no option for password
I mean, what is now true? Should one not use MBAM to save Windows10 Clients keys in AD?
How to lock PC when a user enters an incorrect password several times, that user simply gets locked out of his account.
How do you when the user enters the wrong password then goes to bitlocker recovery mode ?
Oke memberserver but what with client computers? Windows 10
Same process for windows 10 client machine as well.
Will this also work if your DC is Server 2016?
Yes..
Very Nice Video.. :)
Is that possible to bitlocker key change automatically without reset by manually from client computer? If yes can you plz let me know the process and it can be changed once it being used
Plz let us know if any process available
I am not aware if we can change the key that way. Need to check. I am not sure yet but I dont think it is possible.
It is possible to automatically unlock drive without enter a password at startup? Using the keys stored in TPM chip?
+1 (218) 331‑1763
𝓦𝓱𝓪𝓽𝓼 𝓐𝓹𝓹
thanks
Nice video. Can you create a script or tell us how we can encrypt the OS hard drive... You have told us how to recover the bitlocker viz AD
Thanks for sharing that
where the keys are stored in active directory? (pop)
Open Active Directory Users and Computers snap-in. --> Click the Computers container. --> Right-click on your target computer account and select Properties --> Go to the BitLocker Recovery tab. Here you can view all BitLocker recovery keys that were automatically backed up to AD.
So if I do understand U correctly, this information, that window 10 1607 and above is not storing the Keys in AD although the Setup has been done, is no more accurate?!
"For Windows 10 1607 and above:
TPM Owner Password is not stored in the AD at all. Even though you can configure GPO on previous operating system (Windows 8/Windows Server 2012 R2) “Turn on TPM backup to Active Directory Domain Services” or registry keys directly on the client machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\ActiveDirectoryBackup = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM RequireActiveDirectoryBackup = 1
Windows 10 1607 will ignore these values.
Another thing which is worth to mention that GPO
Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Turn on TPM backup to Active Directory Domain Services
has been removed from ADMX templates in Windows 10 1607 and Windows Server 2016. Thus most of information provided in this article is for pre Windows 10 1607 editions."
blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/
So if running 1607 or higher, this video is really not worth doing then? There doesn't appear to be a fix or work around either?
How to configure bitlocker without use /prompt password recover key in boot systems
Don't enable the GPO "Requires additional authentication at startup". It's only doing this for the demo because he's using a VM. In the real world you'll be encrypting physical machines and they'll authenticate with TPM
Every time you reboot machine it will ask for recovery key! How do you fix that
Skip the step at 3:42 which is require additional authentication at startup.
@@bmx123pro Still asking for password at startup