Enabling BitLocker by GPO

Víctor Martínez 11 Reputation points
2023-08-01T15:55:52.3066667+00:00

Hi Team!

 

I am trying to enable BitLocker from a PowerShell startup script from GPO.

 

If I run the script manually, works great! But it doesn’t work from GPO startup (not login) script. Seems that I am not the only one, due I have found this issue on some other forums but no one has found the solution…

 

The code is basically:

Enable-BitLocker -MountPoint $($env:SystemDrive) -RecoveryPasswordProtector -RecoveryPassword "000000-000000-000000-000000-000000-000000-000000-000000"

 

Error: “A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)”

 

Startup script runs with System account rights,  I don’t understand why this error occur.

If I set the GPO as login script and put a domain user as local admin, it works great. For some reason System account can't run bitlocker...

 

Hope someone have any clue…

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,810 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,526 Reputation points
    2023-08-02T10:25:28.8333333+00:00

    Hello there,

    To enable BitLocker using Group Policy Object (GPO), you can follow these steps:

    Create a Group Policy Object:

    Open the Group Policy Management Console (GPMC) on a domain controller or a computer with the necessary administrative rights.

    Create a new Group Policy Object (GPO) or select an existing one to which you want to apply the BitLocker settings.

    Navigate to the BitLocker Policy:

    In the GPMC, select the desired GPO in the left pane.

    In the right pane, click on the "Edit..." option to open the Group Policy Management Editor.

    Configure BitLocker Settings:

    Within the Group Policy Management Editor, navigate to:

    "Computer Configuration" > "Administrative Templates" > "Windows Components" > "BitLocker Drive Encryption."

    Enable BitLocker and Configure Settings:

    Look for the setting called "Choose how BitLocker-protected operating system drives can be recovered."

    Double-click on the setting to edit it.

    Select "Enabled."

    Choose the desired recovery options. For example, you can select "Save BitLocker recovery information to Active Directory Domain Services" and "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives."

    Click "OK" to save the changes.

    Link GPO and Apply:

    Close the Group Policy Management Editor.

    Link the GPO to the Organizational Unit (OU) containing the computers that need to have BitLocker enabled.

    You can use the "Link an Existing GPO" option or "Drag and Drop" the GPO to the OU.

    The GPO will be applied to the computers in that OU during the next Group Policy update.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.