+ Post New Thread
Results 1 to 2 of 2
Windows 7 Thread, BitLocker GPO's and rollout in Technical; Hi All I am currently playing with Bitlocker here at work and have got all of the scripts and things ...
  1. #1
    dalsoth's Avatar
    Join Date
    Sep 2008
    Thank Post
    Thanked 108 Times in 80 Posts
    Rep Power

    BitLocker GPO's and rollout

    Hi All

    I am currently playing with Bitlocker here at work and have got all of the scripts and things done so that i can back up the information to AD. I admit though that I have not read up on this topic fully yet and wondered if i am going wrong somewhere.

    Currently i have it set up so that:

    1) I can MDT a machine and choose it to set up BitLocker and this installs the recovery key to AD.
    2) I also have tested running a command line managebde powershell command to force a machine that had been set up with BitLocker previously to also store its details in AD.

    Where I am struggling is this, what if i have 10 laptops in an OU with no Bitlocker enabled. How would i automate Bitlocker without rebuilding or manually starting Bitlocker? I have aplied the group policy that i used for the above which pulls the TPM stuff into AD and also sets up how to deal with the OS disk etc. What I cannot seem to do is to actually get it to TURN ON bitlocker itself and kick off the encryption.

    It would be nice to apply the Bitlocker GPO to a laptop OU and come back later and they are all encrypting (assuming TPM etc is on in the bios). At the moment i apply the policy to the OU and go back and Bitlocker is still off. Is this normal? Is there a way to do what i want to do?

    My current GPO settings are using the 2 options below and the options within each:

    Turn on TPM backup to Active Directory Domain Services Enabled
    Require TPM backup to AD DS Enabled

    If selected, cannot set or change TPM owner password
    if backup fails (recommended default).

    If not selected, can set or change TPM owner password
    even if backup fails. Backup is not automatically retried.

    Allow data recovery agent Enabled
    Configure user storage of BitLocker recovery information:
    Allow 48-digit recovery password
    Allow 256-bit recovery key
    Omit recovery options from the BitLocker setup wizard Disabled
    Save BitLocker recovery information to AD DS for operating system drives Enabled
    Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
    Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled

    Any advice would be appreciated.


  2. #2

    Join Date
    Nov 2012
    Thank Post
    Thanked 13 Times in 12 Posts
    Rep Power
    This bit of powershell code...

    $BitLockerEnabled = (get-wmiobject -namespace root\CIMv2\Security\MicrosoftVolumeEncryption -class Win32_EncryptableVolume | where-object {$_.driveletter -eq "C:"}).ProtectionStatus
    if (-not $BitLockerEnabled)

    can run something on a computer if bitlocker is not turned on, in this case notepad. Im thinking you would be wanting to run the command to activate bitlocker.

    You could run in from a startup script or scheduled task. You may have to set the powershell execution policy setting in a GPO if you havent before though.

    Are you having issues getting MDT to turn bitlocker on or are you talking about after deployment?
    Last edited by arron; 7th November 2012 at 11:41 PM.

+ Post New Thread

Similar Threads

  1. gpo settings and mandatory profiles??
    By felixvaj in forum Windows Server 2008 R2
    Replies: 0
    Last Post: 15th October 2012, 06:32 PM
  2. Save GPO Configuration and load on another server ???
    By CharlieGreen in forum Windows Server 2008 R2
    Replies: 5
    Last Post: 6th June 2012, 12:54 PM
  3. Replies: 1
    Last Post: 15th July 2010, 12:18 PM
  4. Kaleidos - Development and Rollout
    By Cobalt in forum Virtual Learning Platforms
    Replies: 1
    Last Post: 25th August 2009, 10:31 AM
  5. 2008 Preferences GPO's and Vista
    By Oops_my_bad in forum Windows Vista
    Replies: 3
    Last Post: 9th October 2008, 10:42 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts