This video demonstrates how to encrypt Windows System Volume using Group Policy Object (zero-touch encryption). Download BitLocker Script. drive.google.com/drive/folder...
Was about to do this on 50 computers spread around the country - thank you for a brief explanation, I felt totally overwhelmed by the deployment-script stage. I'm going to do some tests and pray for the TPM-modules being activated! :- )
Thank you SO MUCH! My Admin left and my company is on "hiring freeze" and I need to get this done. I would buy you a cup of coffee if I meet you in person. Thanks once again.
Great video. Thanks for sharing the knowledge. One question though. Will the GPO automatically enable Bitlocker for a fixed drive and/or a removable drive if configured? Cause for the OS drive you used the script with the task scheduler to trigger the Enable action. Or do i have to modify the script somehow to include a drive D or E for example. Any advice will be highly appreciated. Keep up the good work
Not bad. To avoid multiple keys change the scheduled task. Go to common tab and check the apply once and do not reapply checkbox. Otherwise everytime device is idle or login occurs it will record a new key and eventually have tons in active directory. Also would have the group policy create scheduled task not update as it will reset task like it has not been run and cause same multi key entries. Plus there is a bug where it will mismatch and possible that no key works. Resetting a device later and needing that key will be a real problem. The way we do this is actually to create a registry key via group policy the applies script to runonce for same purpose but find it is much more consistent.
Hi Sean, first thank you, i have tested on a virtual environment and it is working but is this script woks only for system drives because i have D Drive and it did not enable bitlocker on it ?
My problem is the TPM chip isn't even activated in BIOS on many systems. Is there a way to activate the TPM chip in the BIOS from the DOS command line or Powershell?
Something weird happened to me, this procedure worked for me pretty well a couple of months ago, but I try to run it again and it doesn't work, it creates the Schedulled Task but it runs with operative code 2. Any idea?
How can we let the user create the password by themself? Example: Once the machine startup or logon then it requires to have dialog box for the password? Is there anyway to do that?
No one seems to have noticed that the script settings with a scheduled task set to run at idle means that this script will run constantly throught the day on the PC forever even after the drive has been encrypted, or until the scheduled task is removed
Hi Fred... I completely understand your concern. In the script, it's set to ignore if the volume is already encrypted. But if that's a problem you can set the task to run once on the computer.
Hello Sean JR. G great video and article. But I have the challenge for multilingual clients (German, Spanish) - it looks like your script only runs on English OS. Do you have a solution for this? Many Thanks.
Thank you so much for this video. I just want to ask after I enable the feature(Bitlocker Encryption) in our Windows 2016 server after restart. When I open GPM Editor at Windows Components when I select the BitLocker encryption I can't see the any folder inside it unlike yours. I can see only: Turn on Bitlocker ...... Control Panel Setup: ...... Control Panel Setup: ...... Control Panel Setup: ...... Configure encryption method Prevent memory overwrite on restart Configure TPM ..... Hope anybody can answer my question.. Thanks and much appreciated.
This worked like a charm! Thanks for the video! One thing I learned was that if a PC has BitLocker On already, you will have to disable it and then reboot and let the policy turn it on in order for AD to pickup the key. AD will not pick up the key except during generation.
thanks for the very useful info, wat if the GPO is applied to an OU what will happen to some PCs where bitlocker is already enabled ? it will re-enable them or stay as they are ?
Good question! I'm not sure. I would expect it to automatically add the key to the AD object. It should be a fairly easy test. See what happens when you try to Bitlocker a computer that was already encrypted.
@@seanjr4387 hi, i found that the script didnt change anything on PCs which are already bitlocked it didnt even backup the key to AD, so you have to manually backup the key or create a GPO to do so
ive managed to get it to pushout with all these settings but the Task Schedular doesnt seem to run correctly. showing it has ran but not starting the Encryption, but when you force the task to run manually it works -_- any ideas?
The question is, why you didint choose to encrypt FDE(full disk) ? Form organization and protection perspective its much much more secure ^^ And what about devices that doesnt have TPM module etc ?;)
Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM. Haven't tested it but give it a shot.
Hi, is it possible to enter n GPO that at the time that disk is starting to encrypt that user would be prompted to enter PIN as additional layer of security? mostly for laptops that can be stolen
It's saved in ADDS. Go to the Properties of the Computer Object and you'll see a BitLocker Tab. 12:03 If you're not seeing the tab, you might have to rewatch the video where I install the BitLocker role. I hope this helps.
Hello, i need some help because this doesn't work on some PC, the schedule task is present but encryption won't start and the key is not saved on AD, i have 20 pc failing on this, on others works perfectly, thanks for help, is there any log or something to troubleshoot?
Thanks Sean Jr. Super! I managed to test GPO with task scheduler and script and everything went just fine. How can I extend encryption to all fixed data drives ? because we also have more then one partition in some computers. in GPO I made the change but the script only handles %systemdrive%. Any help is welcome. Thanks!
Hey. I have created a PowerShell script. Batch is not really my strength. It checks for all local drives with partitions and encrypts them with Bitlocker. Also the Bitlocker is then restored to the AD. Maybe it helps one or the other. Instead of the batch script select the Powershell script. drive.google.com/file/d/1IYMOmckcjAmAR8oqrh7--Y3-8BVY1pbR/view?usp=sharing
Thank you for creating this video and sharing the script. If we wanted to modify this to include other drive volumes how would we go about adding "D:" "E:" Etc? Also do you have a social media / email account you could share? I checked your channel for contact info but was not able to locate that. @Sean Jr thank you again.
Hi How to enable bitlocker for C D and E drive with pin or password. i dont have TPM on my laptop please assist me., your answers are highly appreciated.
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
Hi Sean, i try to doesn't work, i run the script manually and i get the message "It looks like your system require that you run this program as an Administrator.", what is wrong?
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
My issue is that the GP is getting pushed out but the Scheduled task isn't. Not sure why but I thought about pushing the script out one time to the PC's since it only has to be run once. Would that that?
You can run the script directly. The Task Scheduler will not show unless you're an Administrator. If it's still not there after opening Task Scheduler as an Administrator, rewatch the video to see if you overlooked something in the video.
The scheduled task will run, but the script itself does not appear to be running. If i run the script manually on the local PC, it works fine. Any ideas what I could check?
Just in case the file is being blocked on the DC share, right-click the file, go properties and under the General tab look for the unblocked button. Example: stackoverflow.com/questions/15263523/batch-file-to-unblock-files-copied-from-internet
@@seanjr4387 hi sean, thanks for sharing the tutorial and script. do we have to necessarily place the script on a domain controller? or any file server will do? thanks in advance.
Question #1: Yes. BitLocker generates a random encryption key. The script is just enabling BitLocker and storing the key in AD. Question #2: The gpo you create, you have to define how you want BitLocker to unlock. Review the gpo settings you created to make sure Network Unlock and/or TPM unlock is enabled.
question - 1) when the machine starts after encryption completed, will it require the user to type a password to unlock the drive? 2) can we apply the same script if we want to implement bitlocker that is not base on TPM? password method. thank you in advance.
I noticed that the batch file is missing a couple of GOTOs/batch labels: :VerifyBitLocker for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="AES" goto Inprogress ) for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="XTS-AES" goto Inprogress ) for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="None" goto EncryptionFailed ) Inprogress and EncryptionFailed do not exist. This will result in either, "The system cannot find the batch label specified - Inprogress", or "The system cannot find the batch label specified - EncryptionFailed".
Unless the intention was to monitor the progress (which I doubt given the text in the EncryptionCompleted block), I would recommend to replace Inprogress with EncryptionCompleted. One can also create the block for EncryptionFailed: :EncryptionFailed echo. echo ============================================================= echo = System Volume Encryption on drive (%systemdrive%\) failed. = echo = The script was able to make it past the TPM steps. = echo = Encryption was not turned on. = echo ============================================================= echo Closing session in 30 seconds... TIMEOUT /T 30 /NOBREAK Exit What would be helpful is to get output that explains why the encryption failed, but at least this doesn't result in any errors, and explains that at least the TPM part was passed.
The GPO is telling the computer what to do if bitlocker is enabled, while in the same GPO a script is set to automatically start the Bitlocker. Remember, the reason for the video is so you don't have to do it manually.
This only works with a batch file. How do I get a PowerShell script to run instead of a batch file? the script works perfectly when ran manually, however closes immediately and doesn't even start the transcript when executing as system at user login.
@@seanjr4387 actually, startup script works fine now. So nevermind, however would still be nice to know the solution. I could see maybe needing to schedule a task as system to run a power shell script from a network drive. Absolutely nothing I have tried will allow the system account to get past execution policy restrictions.
The role is so you can create a BitLocker policy. For example, you need a policy telling the script or a user who manually tries to BitLocker their computer to not BitLocker the computer unless the key is stored in ADDS. Plus you'll need the role so you can see the recovery key. I hope this helps.
Hi Sean Jr Thanks so much! I am not able to run the script manually. Although I run with administrator permissions, it always falls under: ElevateAccess. Any suggestion?
@@seanjr4387 but this works only if you have TPM, right? Lets say I dont have it but I still want to encrypt and I want to force people to enter password of their choice and put recovery backup on my server, active directory. I assume that this works only with tpm because im not required to enter a password
@@seanjr4387 Thank you. This entire process did not work. I followed the steps carefully twice on two virtual machines and nothing happens. The task shows in Task Sceduler, and the GPO shows when I do a gpresult /r but nothing happens. I have made sure the policy is enforced and all settings are correct. Running the script (EnablingBitLocker.bat) in Powershell ISE shows many errors. I will try it a 5th time along with this video and hopefully I will figure out what I'm doing wrong.
The "Store bitlocker recovery information in active directory domain services" gpo is only applicable for windows server 2008 and vista, try reading the shit you're doing before making a video guide on it and misinforming everyone
If I did a video showing exactly how I did it while using Windows Server 2019!!!!, how did you then draw the conclusion that the bitlocker feature is only available in Windows Server 2008? Just think about it for a second. I did a video and successfully completed this. Here's another clue: If you like, read the other comments and you'll see that others have done it.
Hi. Nice tuto but for me : Task Don't show on client. Key does not upload to Active Directory =====SOLVED===== edit : Ok, it was 2 mistakes/error : -1 In french, username is "AUTORITE NT\System" but mapping is not good with this ID, use english ID instead (as you shown) -2 In script "goto ElevateAccess" block the script even if launch in Admin mod. Comment it solved the issue
Was about to do this on 50 computers spread around the country - thank you for a brief explanation, I felt totally overwhelmed by the deployment-script stage.
I'm going to do some tests and pray for the TPM-modules being activated! :- )
Have been looking for a while and tried a number of things... this worked first time and everything you need is here. Thanks
Thank you SO MUCH! My Admin left and my company is on "hiring freeze" and I need to get this done. I would buy you a cup of coffee if I meet you in person. Thanks once again.
I'm glad I was able to help. It's a challenge I was given myself. I figure it would help someone else. Thank you.
Great work Sean Jr.
Works perfectly.
Really appreciate sharing this video, just a question on enabling it on data disks
Sean, absolute genius dude! Well done!
Just tried this...worked perfectly! Thanks!
You sir are an absolute legend.
Excellent walk-through. Thank You!
Great video. Thanks for sharing the knowledge. One question though. Will the GPO automatically enable Bitlocker for a fixed drive and/or a removable drive if configured? Cause for the OS drive you used the script with the task scheduler to trigger the Enable action. Or do i have to modify the script somehow to include a drive D or E for example. Any advice will be highly appreciated. Keep up the good work
Amazing tips. Thanks Sean!
Not bad. To avoid multiple keys change the scheduled task. Go to common tab and check the apply once and do not reapply checkbox. Otherwise everytime device is idle or login occurs it will record a new key and eventually have tons in active directory. Also would have the group policy create scheduled task not update as it will reset task like it has not been run and cause same multi key entries. Plus there is a bug where it will mismatch and possible that no key works. Resetting a device later and needing that key will be a real problem. The way we do this is actually to create a registry key via group policy the applies script to runonce for same purpose but find it is much more consistent.
Thanks! Working perfectly!
Thanks, seems to work perfectly
Hi Sean,
first thank you, i have tested on a virtual environment and it is working but is this script woks only for system drives because i have D Drive and it did not enable bitlocker on it ?
Works like a charm!
Hi Sean, Thank You So much. Works Perfectly in My Company. 10/10 !!! =) =) =)
do you have a copy of scripts?
My problem is the TPM chip isn't even activated in BIOS on many systems. Is there a way to activate the TPM chip in the BIOS from the DOS command line or Powershell?
Thanks! worked like a charm
Something weird happened to me, this procedure worked for me pretty well a couple of months ago, but I try to run it again and it doesn't work, it creates the Schedulled Task but it runs with operative code 2. Any idea?
How can we let the user create the password by themself?
Example: Once the machine startup or logon then it requires to have dialog box for the password? Is there anyway to do that?
Hello, I have applied what you indicate in the video, but bitlocker cannot be applied to drive C:, could you help me?
i'm seeing multiple entries of keys stored on a computer's AD object. is this a result of the idle time?
Does this script also work on machines with a different language? Since the findstr searches for english words?
No one seems to have noticed that the script settings with a scheduled task set to run at idle means that this script will run constantly throught the day on the PC forever even after the drive has been encrypted, or until the scheduled task is removed
Hi Fred... I completely understand your concern. In the script, it's set to ignore if the volume is already encrypted. But if that's a problem you can set the task to run once on the computer.
Hello Sean JR. G great video and article. But I have the challenge for multilingual clients (German, Spanish) - it looks like your script only runs on English OS. Do you have a solution for this? Many Thanks.
Is it compulsory to have TPM in users computer for this to run ? What if we are using VM ?
Hi sean,
Could you please help me out with enabling fixed drives automatically. Im a fresher to this field. Please help me out. Im stuck.
Super useful, thanks
Thank you so much for this video. I just want to ask after I enable the feature(Bitlocker Encryption) in our Windows 2016 server after restart. When I open GPM Editor at Windows Components when I select the BitLocker encryption I can't see the any folder inside it unlike yours.
I can see only:
Turn on Bitlocker ......
Control Panel Setup: ......
Control Panel Setup: ......
Control Panel Setup: ......
Configure encryption method
Prevent memory overwrite on restart
Configure TPM .....
Hope anybody can answer my question.. Thanks and much appreciated.
thanks for your video, but i have tried to run script, it comes some error and it is not working! could you please help me
great video, your link point to a batch file, but in your video you refer to a powershell script
Where did he get the script???
It works also without script, i believe the gpo option is "enforce bitlocker on os drive". At least this is what i found out by mistake.
This worked like a charm! Thanks for the video! One thing I learned was that if a PC has BitLocker On already, you will have to disable it and then reboot and let the policy turn it on in order for AD to pickup the key. AD will not pick up the key except during generation.
can i disable it for all devices by GPO or manually?
As per ur video, GPO works fine for me, can u tell me will it works for the system which having multiple drives?
up
thanks for the very useful info, wat if the GPO is applied to an OU what will happen to some PCs where bitlocker is already enabled ? it will re-enable them or stay as they are ?
Good question!
I'm not sure. I would expect it to automatically add the key to the AD object. It should be a fairly easy test. See what happens when you try to Bitlocker a computer that was already encrypted.
@@seanjr4387 hi, i found that the script didnt change anything on PCs which are already bitlocked it didnt even backup the key to AD, so you have to manually backup the key or create a GPO to do so
Thank you!
ive managed to get it to pushout with all these settings but the Task Schedular doesnt seem to run correctly. showing it has ran but not starting the Encryption, but when you force the task to run manually it works -_- any ideas?
It might be the user that the task is running as. Or it could be a conflicting policy in your environment.
The question is, why you didint choose to encrypt FDE(full disk) ? Form organization and protection perspective its much much more secure ^^ And what about devices that doesnt have TPM module etc ?;)
Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM. Haven't tested it but give it a shot.
Hi, is it possible to enter n GPO that at the time that disk is starting to encrypt that user would be prompted to enter PIN as additional layer of security? mostly for laptops that can be stolen
You should be able to do this by updating the GPO to require PIN.
script worked flawlessly. Just curious, where does the script store recovery key? assuming did not say to save in ADDS
It's saved in ADDS. Go to the Properties of the Computer Object and you'll see a BitLocker Tab. 12:03 If you're not seeing the tab, you might have to rewatch the video where I install the BitLocker role. I hope this helps.
Hello, i need some help because this doesn't work on some PC, the schedule task is present but encryption won't start and the key is not saved on AD, i have 20 pc failing on this, on others works perfectly, thanks for help, is there any log or something to troubleshoot?
Check all steps in the video again and all devices must have TPM 1.2 or newer so this could work
Thanks Sean Jr. Super!
I managed to test GPO with task scheduler and script and everything went just fine. How can I extend encryption to all fixed data drives ? because we also have more then one partition in some computers. in GPO I made the change but the script only handles %systemdrive%. Any help is welcome. Thanks!
Hey. I have created a PowerShell script. Batch is not really my strength. It checks for all local drives with partitions and encrypts them with Bitlocker. Also the Bitlocker is then restored to the AD. Maybe it helps one or the other. Instead of the batch script select the Powershell script.
drive.google.com/file/d/1IYMOmckcjAmAR8oqrh7--Y3-8BVY1pbR/view?usp=sharing
Thank you for creating this video and sharing the script. If we wanted to modify this to include other drive volumes how would we go about adding "D:" "E:" Etc? Also do you have a social media / email account you could share? I checked your channel for contact info but was not able to locate that. @Sean Jr thank you again.
Trying to get this to work for hours now...... But it just don't want to work. Looks like I have to manually enable Bitlocker on 300 computers......
:((
Hi How to enable bitlocker for C D and E drive with pin or password. i dont have TPM on my laptop
please assist me., your answers are highly appreciated.
WHERE DID YOU GET THE BATCH FILE FROM? HOW DID U CREATE IT? ANY VIDEO FOR THAT? SORRY ABOUT THE CAPS
The URL to download the script/batch file is in the description.
Search GitHub.
setup all, but computers doesn't run auto-encryption. Any idea? can access the bat file. manually run bat is fine
I'm having the same issue.
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
Hi Sean, i try to doesn't work, i run the script manually and i get the message "It looks like your system require that you run this program as an Administrator.", what is wrong?
Have you checked the box of run with highest privileges on the task scheduler?
I have the same problem. I have set the checkmark with "Execute highest priority". What was the solution? Thank you.
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
My issue is that the GP is getting pushed out but the Scheduled task isn't. Not sure why but I thought about pushing the script out one time to the PC's since it only has to be run once. Would that that?
You can run the script directly. The Task Scheduler will not show unless you're an Administrator. If it's still not there after opening Task Scheduler as an Administrator, rewatch the video to see if you overlooked something in the video.
The scheduled task will run, but the script itself does not appear to be running.
If i run the script manually on the local PC, it works fine.
Any ideas what I could check?
Just in case the file is being blocked on the DC share, right-click the file, go properties and under the General tab look for the unblocked button. Example: stackoverflow.com/questions/15263523/batch-file-to-unblock-files-copied-from-internet
@@seanjr4387 hi sean, thanks for sharing the tutorial and script. do we have to necessarily place the script on a domain controller? or any file server will do? thanks in advance.
i like your video but you did not show how create at 6:01 plz some one explain me how to create file EnablingBitlocker in the folder GEGPO.
Hi Muhammad, I'm glad you like this video. You can download the BitLocker script in the description. I hope this helps.
Does anyone got the script to work for all the drive?
Up, I have a same question too
What are you using to display the system information on your desktop?
BGinfo
Excellent.
And for computers that do not have a TPM chip.
Does it work?
Usually you can define the requirements in the BitLocker GPO. But I believe my script is looking for a TPM chip.
is it possible to enable and store the key for fixed data drives?
Yes, we have this option from GPO is called "Choose default folder for recover password" then define your location.
you can fix it by changing C drives letters from the scrip to whatever you want. in my case i changed with d and created another script.
What needs to change in a batch file, if we want to encrypt a data drive like a D drive.
Did you found the answer im also searching for the same
@@Siraj_Ather I am also looking to encrypt two disks C: and D: on a workstation
Have you done it with bitlocker +TPM only? and if this done via GPO what happens if the PC is Work from home.
It should work if you have connectivity to your AD e.g using a vpn connection
Is the key being ramdomised? Also how to enable bitlocker when pc boot up it wont prompt user to key the locker key?
Question #1: Yes. BitLocker generates a random encryption key. The script is just enabling BitLocker and storing the key in AD.
Question #2: The gpo you create, you have to define how you want BitLocker to unlock. Review the gpo settings you created to make sure Network Unlock and/or TPM unlock is enabled.
@@seanjr4387 hi do you have documentation with tpm only authentication?or guideline
Thanks for sharing. Could the user still able to open the laptop/desktop even the device is not connected to the network?
Yes. The TPM chip will allow the user to login as long as it does not detect any changes on the Motherboard or new boot device.
@@seanjr4387 Thank you
question - 1) when the machine starts after encryption completed, will it require the user to type a password to unlock the drive?
2) can we apply the same script if we want to implement bitlocker that is not base on TPM? password method.
thank you in advance.
Are you using MBAM?on this
I noticed that the batch file is missing a couple of GOTOs/batch labels:
:VerifyBitLocker
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (
if "%%A"=="AES" goto Inprogress
)
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (
if "%%A"=="XTS-AES" goto Inprogress
)
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (
if "%%A"=="None" goto EncryptionFailed
)
Inprogress and EncryptionFailed do not exist.
This will result in either, "The system cannot find the batch label specified - Inprogress", or "The system cannot find the batch label specified - EncryptionFailed".
Unless the intention was to monitor the progress (which I doubt given the text in the EncryptionCompleted block), I would recommend to replace Inprogress with EncryptionCompleted.
One can also create the block for EncryptionFailed:
:EncryptionFailed
echo.
echo =============================================================
echo = System Volume Encryption on drive (%systemdrive%\) failed. =
echo = The script was able to make it past the TPM steps. =
echo = Encryption was not turned on. =
echo =============================================================
echo Closing session in 30 seconds...
TIMEOUT /T 30 /NOBREAK
Exit
What would be helpful is to get output that explains why the encryption failed, but at least this doesn't result in any errors, and explains that at least the TPM part was passed.
I'd love your fully edited file... I'm script/programming deficient
Even though the GPO is confugured, do I need to enable BitLocker manually?
It works without running the batch file
The GPO is telling the computer what to do if bitlocker is enabled, while in the same GPO a script is set to automatically start the Bitlocker. Remember, the reason for the video is so you don't have to do it manually.
@@seanjr4387 Perfect!!! Really appreciate!
Not Working for me dear..
This only works with a batch file. How do I get a PowerShell script to run instead of a batch file? the script works perfectly when ran manually, however closes immediately and doesn't even start the transcript when executing as system at user login.
What made you configure it to run at User Login and not via Task Scheduler at system startup?
@@seanjr4387 my script is enabling bitlocker and initializing tpm. File hosted on dc, network not available at startup for laptops.
@@seanjr4387 actually, startup script works fine now. So nevermind, however would still be nice to know the solution. I could see maybe needing to schedule a task as system to run a power shell script from a network drive. Absolutely nothing I have tried will allow the system account to get past execution policy restrictions.
@@MikesGarageWorks i used bat file too cuz the script didnt work for me , how did it work for you
?
@@SinodosAmaha I ended out placing as a startup script in GPO and hosted the script on NETLogon. The script is PowerShell and runs before login.
Hi Sean
Some drive are not showing in bit locker option . How to solve the problem. Please reply
I have the same question. Mean that it works only system drive itself.
Those steps don't work for me. Do they work for anyone ?
hi
the task is not running for me any ideas?
it works start task schduler as admin
I can't your description link to download that bat file.
I tested the URL and it works fine for me using while using my browser in Incognito. What is the error you receiving?
@@seanjr4387 thanks, I have downloaded. Thanks a lot..
@@seanjr4387 do you idea about AD migration.
hold up. why would you have to add roles and features when it definitely already there by default on every single windows 11 machine???????
The role is so you can create a BitLocker policy. For example, you need a policy telling the script or a user who manually tries to BitLocker their computer to not BitLocker the computer unless the key is stored in ADDS. Plus you'll need the role so you can see the recovery key. I hope this helps.
And this is for your domain controller(s), not on the clients.
That's correct.
How did you get all of your network info on your desktop?
bginfo
will this also encypt removable drives?
No. You have to turn on Removable drive encryption in your gpo.
Hi Sean Jr
Thanks so much!
I am not able to run the script manually. Although I run with administrator permissions, it always falls under: ElevateAccess.
Any suggestion?
What is the error? What tool are you using?
I have the same issue. i run the script with different admins but everytime i get to :goto elevateaccess
Any ideas ?? Thx
@@seanjr4387 pls help
Does this require a password to be entered everytime a bitlocked computer is restarted?
Based on the video, no. That option is controlled by the GPO.
@@seanjr4387 so curious what encrypting the drive does if there isn't a password needed when you boot, what does the encrypt part secure?
Can you share the script file, please?
do you have script?
how do i prompt the user to enter a password
You can control this part from the GPO. Explore Group Policy options for Bitlocker.
I need a copy pf script file
same here
what is inside that begpo file? I dont have it
I'v provided a link in the description. You should be able to download it.
@@seanjr4387 but this works only if you have TPM, right? Lets say I dont have it but I still want to encrypt and I want to force people to enter password of their choice and put recovery backup on my server, active directory. I assume that this works only with tpm because im not required to enter a password
@@seanjr4387 i got the error when i check your descriptions and it sayds
The requested URL was not found on this server. That’s all we know.
@@TommyTheHeist Try Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM.
@@seanjr4387 I can't find the link for the script. Please share again.
But most places users are not administrators.
Thats how it should be.
That's why he used the system user
What is the batch file?
You can find the batch file via the link in the description.
@@seanjr4387 Thank you. This entire process did not work. I followed the steps carefully twice on two virtual machines and nothing happens. The task shows in Task Sceduler, and the GPO shows when I do a gpresult /r but nothing happens. I have made sure the policy is enforced and all settings are correct. Running the script (EnablingBitLocker.bat) in Powershell ISE shows many errors. I will try it a 5th time along with this video and hopefully I will figure out what I'm doing wrong.
Share the Bitlocker script
It's linked in the video description
The "Store bitlocker recovery information in active directory domain services" gpo is only applicable for windows server 2008 and vista, try reading the shit you're doing before making a video guide on it and misinforming everyone
If I did a video showing exactly how I did it while using Windows Server 2019!!!!, how did you then draw the conclusion that the bitlocker feature is only available in Windows Server 2008? Just think about it for a second. I did a video and successfully completed this. Here's another clue: If you like, read the other comments and you'll see that others have done it.
Hi. Nice tuto but for me :
Task Don't show on client. Key does not upload to Active Directory
=====SOLVED=====
edit :
Ok, it was 2 mistakes/error :
-1 In french, username is "AUTORITE NT\System" but mapping is not good with this ID, use english ID instead (as you shown)
-2 In script "goto ElevateAccess" block the script even if launch in Admin mod. Comment it solved the issue