0

I'm working on getting bitlocker deployed across an organization and am getting hung up on how I'm expected to actually enable it. We're using on-site AD on Server2012 (will be moving to 2022 this summer but it is what it is for now) and our PCs are all Windows 10. As far as I can tell I should be running a script at logon to enable bitlocker if it isn't already. I have the script, it runs fine on its own, but I cannot get the GPO to work. Here's what I've tried:

  • Startup powershell script - won't work as it runs as logged in user
  • Scheduled task - this appears to be the way to go, but I simply can't get it to actually run the script. Have tried using a domain-admin account, nt_authority\system, etc. It simply doesn't run - I've tried replacing the action with something that just opens notepad, but even that doesn't run. It seems that the SYSTEM account won't have network share access, so I tried adding a GPO to copy the script to the machine first. Still no luck (and I'd prefer this wasn't the case).

I'm clearly missing something, because I'm sure others have done this successfully. Looking for advice on either how you've done this successfully, what I'm doing wrong with my scheduled task GPO, or whether I'm missing the mark entirely and should be doing something entirely different. Any advice is appreciated.

tsz
  • 229
  • 1
  • 2
  • 9
  • `Startup powershell script - won't work as it runs as logged in user`. No, *startup* scripts run in the context of local system. *Logon* scripts run in the context of the local user. The deployment of this is dependent on the endpoint type. Mobile endpoints should be protected by a PIN, which is a more complex scenario. And there is most likely a TPM that needs to be initialized and ownership taken. There are also a truckload of Group Policies that you haven't specified and that need to be configured. Administrative Templates > Windows Components > Bitlocker Drive Encryption. – Greg Askew May 06 '23 at 18:21
  • @GregAskew yes, I have all the TPM and recovery stuff handled in the script that needs to run. My issue is that there doesn't seem to be a real well documented way to make that script run. – tsz May 07 '23 at 14:00
  • 1
    It sounds like your issue is more about troubleshooting GPO scripts than BitLocker. You should start with a basic script that writes some output to the disk. Once you can get that working with a GPO you can swap in your actual script. SYSTEM works quite well for scheduled tasks, because it does not require making a new account and can access anything over the network that Domain Computers have access to. – twconnell May 08 '23 at 21:13

1 Answers1

0

I once wrote an article about scripted deployment of Bitlocker: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html

The essence: I recommend to deploy a scheduled task “at least Windows 7” via GPOs. It would look like this:

  • Task name: BL (name it as you want, but please don’t forget to change the name in the last script line)

  • Triggers: at logon of any user

  • Executing account: system

  • Action: powershell.exe with the argument \\server\share\BL.ps1

The task would be set up to “apply once and do not reapply”

That share would need to be read-only for computer accounts, writable only for admins.

The script would create a random PIN for pre-boot authentication and save the PIN to a text file on another share “pins”, which is writable for domain computers, but not readable for them as people (local admins) able to impersonate the system account must not discover other computers’ PINs.

The script \\server\share\BL.ps1 goes

$pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
$SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
msg * /time:0 Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
manage-bde -on c: -s -used -rp
schtasks /delete /tn BL /f

So what happens at script execution, is that a popup would appear and name the PIN.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Bernd Schwanenmeister
  • 482
  • 2
  • 5