Near the end of the video at 21:08 I mentioned automating the process of clients sending the BitLocker Recovery Keys to to the AD. After this video was published, I have also posted another tutorial on how to automate it using a logon PowerShell script at: ruclips.net/video/g2Z0F6KmZRA/видео.html If you do not know how to create a GPO for a logon/logoff scripts, please refer to: ruclips.net/video/j1hMPZfy9aM/видео.html
Fantastic video sir! Have you ever figured out how to increase the number of bad password attempts before the Bitlocker recovery process starts? It seems to be 5 bad attempts by default, just because that's what I'm seeing in my environment. But I cannot find how to increase that to a different number.
Thank you for the video. I have client PCs that are not on the domain but have bitlocker turned on. How do I add them to the AD and enable bitlocker? Do I need to turn off bitlocker first then add to the AD? Or can I add then to the domain without turning off bitlocker
Thank you for the question... Yes, you should be able to add a client to a domain without turning off the BitLocker on the client. I have posted a tutorial on how to join a domain here: ruclips.net/video/mVDJu0K6TX4/видео.html That video explain how we connect a client to a AD DS. Once the device is on the AD DS you can then use the above tutorial to set the AD to store the BitLocker keys. If for some reason that if the device refused to connect to AD (domain), you can try temporary disabling the BitLocker, connecting the device to domain and then reenabling it later.
Without the TPM chipset, the BitLocker will be ineffective. This is why I think Microsoft decided to not to support BitLocker functions without the chipset.
I believe encryption services is a separate one that has to be installed on your Windows Server. I have not covered this topic/area as of now. There are multiple ways to enforce encryption on BitLocker keys. But I cannot comment on it at this time as I would have to look into this further. Thank you.
This is typically done via MTD during the deployment or cloud based deployment of the laptops and desktops. Bit Locker will be configured from the very beginning. At this time, I don't think Microsoft has a tool to enable BitLocker remotely for thousands of devices at once unless they are being deployed for the first time (using WDS, MDT, Azure, etc.).
Check your firewalls settings. If you are using VMs, make sure all devices are on the same LAN Segment (same network) to make it easier for the to communicate with each other. You also need to make sure the GPOs are applied to the correct OU/section on the AD. You may use YT comments for communication or check my email posted on the channel About section. I am very busy with work these days. But I will do my best to help you out. :)
Near the end of the video at 21:08 I mentioned automating the process of clients sending the BitLocker Recovery Keys to to the AD. After this video was published, I have also posted another tutorial on how to automate it using a logon PowerShell script at: ruclips.net/video/g2Z0F6KmZRA/видео.html
If you do not know how to create a GPO for a logon/logoff scripts, please refer to: ruclips.net/video/j1hMPZfy9aM/видео.html
Thank you for the detailed walkthrough of this BitLocker process.
Glad it was helpful!
Excellent video. I've been putting this off for years but I'm 100%? Confident that I can roll this out after watching your video
Thank you for the comment. :)
Fantastic video sir! Have you ever figured out how to increase the number of bad password attempts before the Bitlocker recovery process starts? It seems to be 5 bad attempts by default, just because that's what I'm seeing in my environment. But I cannot find how to increase that to a different number.
Thank you for the video. I have client PCs that are not on the domain but have bitlocker turned on. How do I add them to the AD and enable bitlocker? Do I need to turn off bitlocker first then add to the AD? Or can I add then to the domain without turning off bitlocker
Thank you for the question... Yes, you should be able to add a client to a domain without turning off the BitLocker on the client. I have posted a tutorial on how to join a domain here: ruclips.net/video/mVDJu0K6TX4/видео.html That video explain how we connect a client to a AD DS. Once the device is on the AD DS you can then use the above tutorial to set the AD to store the BitLocker keys. If for some reason that if the device refused to connect to AD (domain), you can try temporary disabling the BitLocker, connecting the device to domain and then reenabling it later.
Excellent video, thanks
You're welcome!
Great content. What happens to those using Windows server 2012 R2 and some of the systems don't have TPM?
Without the TPM chipset, the BitLocker will be ineffective. This is why I think Microsoft decided to not to support BitLocker functions without the chipset.
Hi, thanks for the guide. Our requirement is 256 aes encryption. How we can achieve that setting in GPO?
I believe encryption services is a separate one that has to be installed on your Windows Server. I have not covered this topic/area as of now. There are multiple ways to enforce encryption on BitLocker keys. But I cannot comment on it at this time as I would have to look into this further. Thank you.
How you can enable bitlocker from background ..as an IT admin we can not login to 1000 of system right?
This is typically done via MTD during the deployment or cloud based deployment of the laptops and desktops. Bit Locker will be configured from the very beginning. At this time, I don't think Microsoft has a tool to enable BitLocker remotely for thousands of devices at once unless they are being deployed for the first time (using WDS, MDT, Azure, etc.).
This was fantastic... thank you.
Thank you and you're very welcome!
@@NetITGeeks I'm having a couple issues with the group policy applying to computers in an OU - can we communicate offline?
Check your firewalls settings. If you are using VMs, make sure all devices are on the same LAN Segment (same network) to make it easier for the to communicate with each other. You also need to make sure the GPOs are applied to the correct OU/section on the AD. You may use YT comments for communication or check my email posted on the channel About section. I am very busy with work these days. But I will do my best to help you out. :)