Was about to do this on 50 computers spread around the country - thank you for a brief explanation, I felt totally overwhelmed by the deployment-script stage. I'm going to do some tests and pray for the TPM-modules being activated! :- )
Thank you SO MUCH! My Admin left and my company is on "hiring freeze" and I need to get this done. I would buy you a cup of coffee if I meet you in person. Thanks once again.
Not bad. To avoid multiple keys change the scheduled task. Go to common tab and check the apply once and do not reapply checkbox. Otherwise everytime device is idle or login occurs it will record a new key and eventually have tons in active directory. Also would have the group policy create scheduled task not update as it will reset task like it has not been run and cause same multi key entries. Plus there is a bug where it will mismatch and possible that no key works. Resetting a device later and needing that key will be a real problem. The way we do this is actually to create a registry key via group policy the applies script to runonce for same purpose but find it is much more consistent.
This worked like a charm! Thanks for the video! One thing I learned was that if a PC has BitLocker On already, you will have to disable it and then reboot and let the policy turn it on in order for AD to pickup the key. AD will not pick up the key except during generation.
Great video. Thanks for sharing the knowledge. One question though. Will the GPO automatically enable Bitlocker for a fixed drive and/or a removable drive if configured? Cause for the OS drive you used the script with the task scheduler to trigger the Enable action. Or do i have to modify the script somehow to include a drive D or E for example. Any advice will be highly appreciated. Keep up the good work
How can we let the user create the password by themself? Example: Once the machine startup or logon then it requires to have dialog box for the password? Is there anyway to do that?
No one seems to have noticed that the script settings with a scheduled task set to run at idle means that this script will run constantly throught the day on the PC forever even after the drive has been encrypted, or until the scheduled task is removed
Hi Fred... I completely understand your concern. In the script, it's set to ignore if the volume is already encrypted. But if that's a problem you can set the task to run once on the computer.
The question is, why you didint choose to encrypt FDE(full disk) ? Form organization and protection perspective its much much more secure ^^ And what about devices that doesnt have TPM module etc ?;)
Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM. Haven't tested it but give it a shot.
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
thanks for the very useful info, wat if the GPO is applied to an OU what will happen to some PCs where bitlocker is already enabled ? it will re-enable them or stay as they are ?
Good question! I'm not sure. I would expect it to automatically add the key to the AD object. It should be a fairly easy test. See what happens when you try to Bitlocker a computer that was already encrypted.
@@seanjr4387 hi, i found that the script didnt change anything on PCs which are already bitlocked it didnt even backup the key to AD, so you have to manually backup the key or create a GPO to do so
My problem is the TPM chip isn't even activated in BIOS on many systems. Is there a way to activate the TPM chip in the BIOS from the DOS command line or Powershell?
Thank you for creating this video and sharing the script. If we wanted to modify this to include other drive volumes how would we go about adding "D:" "E:" Etc? Also do you have a social media / email account you could share? I checked your channel for contact info but was not able to locate that. @Sean Jr thank you again.
Hi Sean, first thank you, i have tested on a virtual environment and it is working but is this script woks only for system drives because i have D Drive and it did not enable bitlocker on it ?
Hi, is it possible to enter n GPO that at the time that disk is starting to encrypt that user would be prompted to enter PIN as additional layer of security? mostly for laptops that can be stolen
It's saved in ADDS. Go to the Properties of the Computer Object and you'll see a BitLocker Tab. 12:03 If you're not seeing the tab, you might have to rewatch the video where I install the BitLocker role. I hope this helps.
My issue is that the GP is getting pushed out but the Scheduled task isn't. Not sure why but I thought about pushing the script out one time to the PC's since it only has to be run once. Would that that?
You can run the script directly. The Task Scheduler will not show unless you're an Administrator. If it's still not there after opening Task Scheduler as an Administrator, rewatch the video to see if you overlooked something in the video.
Hello Sean JR. G great video and article. But I have the challenge for multilingual clients (German, Spanish) - it looks like your script only runs on English OS. Do you have a solution for this? Many Thanks.
Hi Sean, i try to doesn't work, i run the script manually and i get the message "It looks like your system require that you run this program as an Administrator.", what is wrong?
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
Thank you so much for this video. I just want to ask after I enable the feature(Bitlocker Encryption) in our Windows 2016 server after restart. When I open GPM Editor at Windows Components when I select the BitLocker encryption I can't see the any folder inside it unlike yours. I can see only: Turn on Bitlocker ...... Control Panel Setup: ...... Control Panel Setup: ...... Control Panel Setup: ...... Configure encryption method Prevent memory overwrite on restart Configure TPM ..... Hope anybody can answer my question.. Thanks and much appreciated.
I noticed that the batch file is missing a couple of GOTOs/batch labels: :VerifyBitLocker for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="AES" goto Inprogress ) for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="XTS-AES" goto Inprogress ) for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="None" goto EncryptionFailed ) Inprogress and EncryptionFailed do not exist. This will result in either, "The system cannot find the batch label specified - Inprogress", or "The system cannot find the batch label specified - EncryptionFailed".
Unless the intention was to monitor the progress (which I doubt given the text in the EncryptionCompleted block), I would recommend to replace Inprogress with EncryptionCompleted. One can also create the block for EncryptionFailed: :EncryptionFailed echo. echo ============================================================= echo = System Volume Encryption on drive (%systemdrive%\) failed. = echo = The script was able to make it past the TPM steps. = echo = Encryption was not turned on. = echo ============================================================= echo Closing session in 30 seconds... TIMEOUT /T 30 /NOBREAK Exit What would be helpful is to get output that explains why the encryption failed, but at least this doesn't result in any errors, and explains that at least the TPM part was passed.
The GPO is telling the computer what to do if bitlocker is enabled, while in the same GPO a script is set to automatically start the Bitlocker. Remember, the reason for the video is so you don't have to do it manually.
The role is so you can create a BitLocker policy. For example, you need a policy telling the script or a user who manually tries to BitLocker their computer to not BitLocker the computer unless the key is stored in ADDS. Plus you'll need the role so you can see the recovery key. I hope this helps.
The scheduled task will run, but the script itself does not appear to be running. If i run the script manually on the local PC, it works fine. Any ideas what I could check?
Just in case the file is being blocked on the DC share, right-click the file, go properties and under the General tab look for the unblocked button. Example: stackoverflow.com/questions/15263523/batch-file-to-unblock-files-copied-from-internet
@@seanjr4387 hi sean, thanks for sharing the tutorial and script. do we have to necessarily place the script on a domain controller? or any file server will do? thanks in advance.
This only works with a batch file. How do I get a PowerShell script to run instead of a batch file? the script works perfectly when ran manually, however closes immediately and doesn't even start the transcript when executing as system at user login.
@@seanjr4387 actually, startup script works fine now. So nevermind, however would still be nice to know the solution. I could see maybe needing to schedule a task as system to run a power shell script from a network drive. Absolutely nothing I have tried will allow the system account to get past execution policy restrictions.
Hello, i need some help because this doesn't work on some PC, the schedule task is present but encryption won't start and the key is not saved on AD, i have 20 pc failing on this, on others works perfectly, thanks for help, is there any log or something to troubleshoot?
Thanks Sean Jr. Super! I managed to test GPO with task scheduler and script and everything went just fine. How can I extend encryption to all fixed data drives ? because we also have more then one partition in some computers. in GPO I made the change but the script only handles %systemdrive%. Any help is welcome. Thanks!
Hey. I have created a PowerShell script. Batch is not really my strength. It checks for all local drives with partitions and encrypts them with Bitlocker. Also the Bitlocker is then restored to the AD. Maybe it helps one or the other. Instead of the batch script select the Powershell script. drive.google.com/file/d/1IYMOmckcjAmAR8oqrh7--Y3-8BVY1pbR/view?usp=sharing
question - 1) when the machine starts after encryption completed, will it require the user to type a password to unlock the drive? 2) can we apply the same script if we want to implement bitlocker that is not base on TPM? password method. thank you in advance.
Question #1: Yes. BitLocker generates a random encryption key. The script is just enabling BitLocker and storing the key in AD. Question #2: The gpo you create, you have to define how you want BitLocker to unlock. Review the gpo settings you created to make sure Network Unlock and/or TPM unlock is enabled.
Hi How to enable bitlocker for C D and E drive with pin or password. i dont have TPM on my laptop please assist me., your answers are highly appreciated.
@@seanjr4387 but this works only if you have TPM, right? Lets say I dont have it but I still want to encrypt and I want to force people to enter password of their choice and put recovery backup on my server, active directory. I assume that this works only with tpm because im not required to enter a password
Hi Sean Jr Thanks so much! I am not able to run the script manually. Although I run with administrator permissions, it always falls under: ElevateAccess. Any suggestion?
@@seanjr4387 Thank you. This entire process did not work. I followed the steps carefully twice on two virtual machines and nothing happens. The task shows in Task Sceduler, and the GPO shows when I do a gpresult /r but nothing happens. I have made sure the policy is enforced and all settings are correct. Running the script (EnablingBitLocker.bat) in Powershell ISE shows many errors. I will try it a 5th time along with this video and hopefully I will figure out what I'm doing wrong.
The "Store bitlocker recovery information in active directory domain services" gpo is only applicable for windows server 2008 and vista, try reading the shit you're doing before making a video guide on it and misinforming everyone
If I did a video showing exactly how I did it while using Windows Server 2019!!!!, how did you then draw the conclusion that the bitlocker feature is only available in Windows Server 2008? Just think about it for a second. I did a video and successfully completed this. Here's another clue: If you like, read the other comments and you'll see that others have done it.
Hi. Nice tuto but for me : Task Don't show on client. Key does not upload to Active Directory =====SOLVED===== edit : Ok, it was 2 mistakes/error : -1 In french, username is "AUTORITE NT\System" but mapping is not good with this ID, use english ID instead (as you shown) -2 In script "goto ElevateAccess" block the script even if launch in Admin mod. Comment it solved the issue
ive managed to get it to pushout with all these settings but the Task Schedular doesnt seem to run correctly. showing it has ran but not starting the Encryption, but when you force the task to run manually it works -_- any ideas?
Something weird happened to me, this procedure worked for me pretty well a couple of months ago, but I try to run it again and it doesn't work, it creates the Schedulled Task but it runs with operative code 2. Any idea?
Was about to do this on 50 computers spread around the country - thank you for a brief explanation, I felt totally overwhelmed by the deployment-script stage.
I'm going to do some tests and pray for the TPM-modules being activated! :- )
Have been looking for a while and tried a number of things... this worked first time and everything you need is here. Thanks
Thank you SO MUCH! My Admin left and my company is on "hiring freeze" and I need to get this done. I would buy you a cup of coffee if I meet you in person. Thanks once again.
I'm glad I was able to help. It's a challenge I was given myself. I figure it would help someone else. Thank you.
You sir are an absolute legend.
Just tried this...worked perfectly! Thanks!
That's a nice script, well done. Great video as well.
Not bad. To avoid multiple keys change the scheduled task. Go to common tab and check the apply once and do not reapply checkbox. Otherwise everytime device is idle or login occurs it will record a new key and eventually have tons in active directory. Also would have the group policy create scheduled task not update as it will reset task like it has not been run and cause same multi key entries. Plus there is a bug where it will mismatch and possible that no key works. Resetting a device later and needing that key will be a real problem. The way we do this is actually to create a registry key via group policy the applies script to runonce for same purpose but find it is much more consistent.
Hi @christopherdesouza8334 any tutorial or video for this !!
really intersting remark,
PLesae share more
Sean, absolute genius dude! Well done!
Excellent walk-through. Thank You!
Hi Sean, Thank You So much. Works Perfectly in My Company. 10/10 !!! =) =) =)
do you have a copy of scripts?
Thanks! Working perfectly!
This worked like a charm! Thanks for the video! One thing I learned was that if a PC has BitLocker On already, you will have to disable it and then reboot and let the policy turn it on in order for AD to pickup the key. AD will not pick up the key except during generation.
can i disable it for all devices by GPO or manually?
Great video. Thanks for sharing the knowledge. One question though. Will the GPO automatically enable Bitlocker for a fixed drive and/or a removable drive if configured? Cause for the OS drive you used the script with the task scheduler to trigger the Enable action. Or do i have to modify the script somehow to include a drive D or E for example. Any advice will be highly appreciated. Keep up the good work
Great work Sean Jr.
Works perfectly.
Really appreciate sharing this video, just a question on enabling it on data disks
Amazing tips. Thanks Sean!
Hi
What is the powershell argument to enable bitlocker at 7:57
Can you please share full powershell command
How can we let the user create the password by themself?
Example: Once the machine startup or logon then it requires to have dialog box for the password? Is there anyway to do that?
No one seems to have noticed that the script settings with a scheduled task set to run at idle means that this script will run constantly throught the day on the PC forever even after the drive has been encrypted, or until the scheduled task is removed
Hi Fred... I completely understand your concern. In the script, it's set to ignore if the volume is already encrypted. But if that's a problem you can set the task to run once on the computer.
Thanks! worked like a charm
Hi thank you for the great video but you updated the policy with admin rights but under standard user I can't apply the GPO (?
great video, your link point to a batch file, but in your video you refer to a powershell script
i'm seeing multiple entries of keys stored on a computer's AD object. is this a result of the idle time?
Nice instruction - Thanks!. What will happen when we migrate to Azure?
The question is, why you didint choose to encrypt FDE(full disk) ? Form organization and protection perspective its much much more secure ^^ And what about devices that doesnt have TPM module etc ?;)
Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM. Haven't tested it but give it a shot.
Curious for folks who are getting a successful bitlocker enable, but not getting it escrowed into ADDS? What did you do?
Thanks, seems to work perfectly
Where did he get the script???
i like your video but you did not show how create at 6:01 plz some one explain me how to create file EnablingBitlocker in the folder GEGPO.
Hi Muhammad, I'm glad you like this video. You can download the BitLocker script in the description. I hope this helps.
As per ur video, GPO works fine for me, can u tell me will it works for the system which having multiple drives?
up
setup all, but computers doesn't run auto-encryption. Any idea? can access the bat file. manually run bat is fine
I'm having the same issue.
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
@@userbox0029 Same here, did you ever find a solution to this? Any help would be appreciated.
@@chaserushing5173 I had to user Task scheduler to run the script with high privileges at user login.
Works like a charm!
thanks for the very useful info, wat if the GPO is applied to an OU what will happen to some PCs where bitlocker is already enabled ? it will re-enable them or stay as they are ?
Good question!
I'm not sure. I would expect it to automatically add the key to the AD object. It should be a fairly easy test. See what happens when you try to Bitlocker a computer that was already encrypted.
@@seanjr4387 hi, i found that the script didnt change anything on PCs which are already bitlocked it didnt even backup the key to AD, so you have to manually backup the key or create a GPO to do so
Is there an edit to encrypt all fixed data drives as well?
My problem is the TPM chip isn't even activated in BIOS on many systems. Is there a way to activate the TPM chip in the BIOS from the DOS command line or Powershell?
Super useful, thanks
Thank you for creating this video and sharing the script. If we wanted to modify this to include other drive volumes how would we go about adding "D:" "E:" Etc? Also do you have a social media / email account you could share? I checked your channel for contact info but was not able to locate that. @Sean Jr thank you again.
What needs to change in a batch file, if we want to encrypt a data drive like a D drive.
Did you found the answer im also searching for the same
@@Siraj_Ather I am also looking to encrypt two disks C: and D: on a workstation
Hi Sean,
first thank you, i have tested on a virtual environment and it is working but is this script woks only for system drives because i have D Drive and it did not enable bitlocker on it ?
Is it compulsory to have TPM in users computer for this to run ? What if we are using VM ?
What would it take to run this batch file with cmd.exe instead of Powershell? Can anyone convert this?
Hi, is it possible to enter n GPO that at the time that disk is starting to encrypt that user would be prompted to enter PIN as additional layer of security? mostly for laptops that can be stolen
You should be able to do this by updating the GPO to require PIN.
Hello, I have applied what you indicate in the video, but bitlocker cannot be applied to drive C:, could you help me?
Trying to get this to work for hours now...... But it just don't want to work. Looks like I have to manually enable Bitlocker on 300 computers......
:((
script worked flawlessly. Just curious, where does the script store recovery key? assuming did not say to save in ADDS
It's saved in ADDS. Go to the Properties of the Computer Object and you'll see a BitLocker Tab. 12:03 If you're not seeing the tab, you might have to rewatch the video where I install the BitLocker role. I hope this helps.
Thank you!
My issue is that the GP is getting pushed out but the Scheduled task isn't. Not sure why but I thought about pushing the script out one time to the PC's since it only has to be run once. Would that that?
You can run the script directly. The Task Scheduler will not show unless you're an Administrator. If it's still not there after opening Task Scheduler as an Administrator, rewatch the video to see if you overlooked something in the video.
Hello Sean JR. G great video and article. But I have the challenge for multilingual clients (German, Spanish) - it looks like your script only runs on English OS. Do you have a solution for this? Many Thanks.
Does this script also work on machines with a different language? Since the findstr searches for english words?
is it possible to enable and store the key for fixed data drives?
Yes, we have this option from GPO is called "Choose default folder for recover password" then define your location.
you can fix it by changing C drives letters from the scrip to whatever you want. in my case i changed with d and created another script.
Hi Sean, i try to doesn't work, i run the script manually and i get the message "It looks like your system require that you run this program as an Administrator.", what is wrong?
Have you checked the box of run with highest privileges on the task scheduler?
I have the same problem. I have set the checkmark with "Execute highest priority". What was the solution? Thank you.
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
Hi sean,
Could you please help me out with enabling fixed drives automatically. Im a fresher to this field. Please help me out. Im stuck.
thanks for your video, but i have tried to run script, it comes some error and it is not working! could you please help me
Thank you so much for this video. I just want to ask after I enable the feature(Bitlocker Encryption) in our Windows 2016 server after restart. When I open GPM Editor at Windows Components when I select the BitLocker encryption I can't see the any folder inside it unlike yours.
I can see only:
Turn on Bitlocker ......
Control Panel Setup: ......
Control Panel Setup: ......
Control Panel Setup: ......
Configure encryption method
Prevent memory overwrite on restart
Configure TPM .....
Hope anybody can answer my question.. Thanks and much appreciated.
I noticed that the batch file is missing a couple of GOTOs/batch labels:
:VerifyBitLocker
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (
if "%%A"=="AES" goto Inprogress
)
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (
if "%%A"=="XTS-AES" goto Inprogress
)
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (
if "%%A"=="None" goto EncryptionFailed
)
Inprogress and EncryptionFailed do not exist.
This will result in either, "The system cannot find the batch label specified - Inprogress", or "The system cannot find the batch label specified - EncryptionFailed".
Unless the intention was to monitor the progress (which I doubt given the text in the EncryptionCompleted block), I would recommend to replace Inprogress with EncryptionCompleted.
One can also create the block for EncryptionFailed:
:EncryptionFailed
echo.
echo =============================================================
echo = System Volume Encryption on drive (%systemdrive%\) failed. =
echo = The script was able to make it past the TPM steps. =
echo = Encryption was not turned on. =
echo =============================================================
echo Closing session in 30 seconds...
TIMEOUT /T 30 /NOBREAK
Exit
What would be helpful is to get output that explains why the encryption failed, but at least this doesn't result in any errors, and explains that at least the TPM part was passed.
I'd love your fully edited file... I'm script/programming deficient
Even though the GPO is confugured, do I need to enable BitLocker manually?
It works without running the batch file
The GPO is telling the computer what to do if bitlocker is enabled, while in the same GPO a script is set to automatically start the Bitlocker. Remember, the reason for the video is so you don't have to do it manually.
@@seanjr4387 Perfect!!! Really appreciate!
Does anyone got the script to work for all the drive?
Up, I have a same question too
hold up. why would you have to add roles and features when it definitely already there by default on every single windows 11 machine???????
The role is so you can create a BitLocker policy. For example, you need a policy telling the script or a user who manually tries to BitLocker their computer to not BitLocker the computer unless the key is stored in ADDS. Plus you'll need the role so you can see the recovery key. I hope this helps.
And this is for your domain controller(s), not on the clients.
That's correct.
What are you using to display the system information on your desktop?
BGinfo
The scheduled task will run, but the script itself does not appear to be running.
If i run the script manually on the local PC, it works fine.
Any ideas what I could check?
Just in case the file is being blocked on the DC share, right-click the file, go properties and under the General tab look for the unblocked button. Example: stackoverflow.com/questions/15263523/batch-file-to-unblock-files-copied-from-internet
@@seanjr4387 hi sean, thanks for sharing the tutorial and script. do we have to necessarily place the script on a domain controller? or any file server will do? thanks in advance.
This only works with a batch file. How do I get a PowerShell script to run instead of a batch file? the script works perfectly when ran manually, however closes immediately and doesn't even start the transcript when executing as system at user login.
What made you configure it to run at User Login and not via Task Scheduler at system startup?
@@seanjr4387 my script is enabling bitlocker and initializing tpm. File hosted on dc, network not available at startup for laptops.
@@seanjr4387 actually, startup script works fine now. So nevermind, however would still be nice to know the solution. I could see maybe needing to schedule a task as system to run a power shell script from a network drive. Absolutely nothing I have tried will allow the system account to get past execution policy restrictions.
@@MikesGarageWorks i used bat file too cuz the script didnt work for me , how did it work for you
?
@@SinodosAmaha I ended out placing as a startup script in GPO and hosted the script on NETLogon. The script is PowerShell and runs before login.
WHERE DID YOU GET THE BATCH FILE FROM? HOW DID U CREATE IT? ANY VIDEO FOR THAT? SORRY ABOUT THE CAPS
The URL to download the script/batch file is in the description.
Search GitHub.
Hi Sean
Some drive are not showing in bit locker option . How to solve the problem. Please reply
I have the same question. Mean that it works only system drive itself.
Hello, i need some help because this doesn't work on some PC, the schedule task is present but encryption won't start and the key is not saved on AD, i have 20 pc failing on this, on others works perfectly, thanks for help, is there any log or something to troubleshoot?
Check all steps in the video again and all devices must have TPM 1.2 or newer so this could work
Issue here: we have French computer W10 Pro it's not working in french ... in English all good can you provide more infos ?
Tengo el mismo problema, pero con la versión en español, tanto para windows 10 como windows 11. en la version en ingles me funciona de maravillas.
Thanks Sean Jr. Super!
I managed to test GPO with task scheduler and script and everything went just fine. How can I extend encryption to all fixed data drives ? because we also have more then one partition in some computers. in GPO I made the change but the script only handles %systemdrive%. Any help is welcome. Thanks!
Hey. I have created a PowerShell script. Batch is not really my strength. It checks for all local drives with partitions and encrypts them with Bitlocker. Also the Bitlocker is then restored to the AD. Maybe it helps one or the other. Instead of the batch script select the Powershell script.
drive.google.com/file/d/1IYMOmckcjAmAR8oqrh7--Y3-8BVY1pbR/view?usp=sharing
Excellent.
And for computers that do not have a TPM chip.
Does it work?
Usually you can define the requirements in the BitLocker GPO. But I believe my script is looking for a TPM chip.
Thanks for sharing. Could the user still able to open the laptop/desktop even the device is not connected to the network?
Yes. The TPM chip will allow the user to login as long as it does not detect any changes on the Motherboard or new boot device.
@@seanjr4387 Thank you
question - 1) when the machine starts after encryption completed, will it require the user to type a password to unlock the drive?
2) can we apply the same script if we want to implement bitlocker that is not base on TPM? password method.
thank you in advance.
Is the key being ramdomised? Also how to enable bitlocker when pc boot up it wont prompt user to key the locker key?
Question #1: Yes. BitLocker generates a random encryption key. The script is just enabling BitLocker and storing the key in AD.
Question #2: The gpo you create, you have to define how you want BitLocker to unlock. Review the gpo settings you created to make sure Network Unlock and/or TPM unlock is enabled.
@@seanjr4387 hi do you have documentation with tpm only authentication?or guideline
Do you have the script for operating systems in Spanish?
I can't your description link to download that bat file.
I tested the URL and it works fine for me using while using my browser in Incognito. What is the error you receiving?
@@seanjr4387 thanks, I have downloaded. Thanks a lot..
@@seanjr4387 do you idea about AD migration.
How did you get all of your network info on your desktop?
bginfo
Are you using MBAM?on this
hi
the task is not running for me any ideas?
it works start task schduler as admin
Hi How to enable bitlocker for C D and E drive with pin or password. i dont have TPM on my laptop
please assist me., your answers are highly appreciated.
Have you done it with bitlocker +TPM only? and if this done via GPO what happens if the PC is Work from home.
It should work if you have connectivity to your AD e.g using a vpn connection
He modificado el script para usarlo en la versión de Windows en Español, si alguien lo necesita que me avise.
lo puedes subir? me vendria bien probarlo, muchas gracias
Lo podrías compartir por favor? Gracias
what is inside that begpo file? I dont have it
I'v provided a link in the description. You should be able to download it.
@@seanjr4387 but this works only if you have TPM, right? Lets say I dont have it but I still want to encrypt and I want to force people to enter password of their choice and put recovery backup on my server, active directory. I assume that this works only with tpm because im not required to enter a password
@@seanjr4387 i got the error when i check your descriptions and it sayds
The requested URL was not found on this server. That’s all we know.
@@TommyTheHeist Try Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM.
@@seanjr4387 I can't find the link for the script. Please share again.
But most places users are not administrators.
Thats how it should be.
That's why he used the system user
Hi Sean Jr
Thanks so much!
I am not able to run the script manually. Although I run with administrator permissions, it always falls under: ElevateAccess.
Any suggestion?
What is the error? What tool are you using?
I have the same issue. i run the script with different admins but everytime i get to :goto elevateaccess
Any ideas ?? Thx
@@seanjr4387 pls help
Not Working for me dear..
Those steps don't work for me. Do they work for anyone ?
how do i prompt the user to enter a password
You can control this part from the GPO. Explore Group Policy options for Bitlocker.
What is the batch file?
You can find the batch file via the link in the description.
@@seanjr4387 Thank you. This entire process did not work. I followed the steps carefully twice on two virtual machines and nothing happens. The task shows in Task Sceduler, and the GPO shows when I do a gpresult /r but nothing happens. I have made sure the policy is enforced and all settings are correct. Running the script (EnablingBitLocker.bat) in Powershell ISE shows many errors. I will try it a 5th time along with this video and hopefully I will figure out what I'm doing wrong.
will this also encypt removable drives?
No. You have to turn on Removable drive encryption in your gpo.
Can you share the script file, please?
do you have script?
I need a copy pf script file
same here
Does this require a password to be entered everytime a bitlocked computer is restarted?
Based on the video, no. That option is controlled by the GPO.
@@seanjr4387 so curious what encrypting the drive does if there isn't a password needed when you boot, what does the encrypt part secure?
Share the Bitlocker script
It's linked in the video description
Favor para equipos con idioma en español. En idioma inglés funcionó perfecto.
The "Store bitlocker recovery information in active directory domain services" gpo is only applicable for windows server 2008 and vista, try reading the shit you're doing before making a video guide on it and misinforming everyone
If I did a video showing exactly how I did it while using Windows Server 2019!!!!, how did you then draw the conclusion that the bitlocker feature is only available in Windows Server 2008? Just think about it for a second. I did a video and successfully completed this. Here's another clue: If you like, read the other comments and you'll see that others have done it.
Hi. Nice tuto but for me :
Task Don't show on client. Key does not upload to Active Directory
=====SOLVED=====
edit :
Ok, it was 2 mistakes/error :
-1 In french, username is "AUTORITE NT\System" but mapping is not good with this ID, use english ID instead (as you shown)
-2 In script "goto ElevateAccess" block the script even if launch in Admin mod. Comment it solved the issue
It works also without script, i believe the gpo option is "enforce bitlocker on os drive". At least this is what i found out by mistake.
ive managed to get it to pushout with all these settings but the Task Schedular doesnt seem to run correctly. showing it has ran but not starting the Encryption, but when you force the task to run manually it works -_- any ideas?
It might be the user that the task is running as. Or it could be a conflicting policy in your environment.
Something weird happened to me, this procedure worked for me pretty well a couple of months ago, but I try to run it again and it doesn't work, it creates the Schedulled Task but it runs with operative code 2. Any idea?