Share via

How to simply enable the default version of bitlocker through gpo that doesnt require a password at startup

Sid-0195 0 Reputation points
2023-10-16T18:52:52.9933333+00:00

Hi Folks,

I am trying to enable Bitlocker through GPO but want the default version of it without a password required at startup or securing the bitlocker keys. Literally like doing manually.

If someone can walk me through which exact GPO policy to enable that'll be great.

Also I'm trying to use this script to test but its not outputting any thing.

$driveLetter = "C:"

$recoveryKeyPath = "\server\share\BitLockerRecovery"

Enable-BitLocker -MountPoint $driveLetter -RecoveryPasswordProtector -EncryptionMethod "AES256" -UsedSpaceOnly

$recoveryPassword = Get-BitLockerVolume -MountPoint $driveLetter | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyType -eq 'RecoveryPassword' } | Select-Object -ExpandProperty RecoveryPassword

$recoveryPassword | Out-File -FilePath "$recoveryKeyPath\BitLockerRecoveryPassword.txt"

Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Terae E 85 Reputation points
    2023-10-17T14:58:18.3566667+00:00

    hi sid,

    To enable BitLocker through Group Policy with the default settings (i.e., without requiring a password at startup or securing BitLocker keys manually), you can create a GPO (Group Policy Object) and configure the necessary settings. Here's how you can achieve this:

    Create a BitLocker GPO:

    • Open the Group Policy Management Console (GPMC) on a Windows Server or a machine with administrative access.
    • Create a new GPO or edit an existing one.
    • Navigate to "Computer Configuration" > "Policies" > "Administrative Templates" > "Windows Components" > "BitLocker Drive Encryption."

    Configure BitLocker Settings:

    In the BitLocker Drive Encryption folder, you will find several policy settings. For your scenario, you might want to configure the following policy:

    • "Choose how BitLocker-protected operating system drives can be recovered."
    • Set this policy to "Enabled" and choose "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives." This will ensure that recovery information is automatically stored in Active Directory and that users are not prompted for a password at startup.

    Link the GPO:

    • Link the GPO to the Organizational Unit (OU) that contains the computers you want to enable BitLocker on.
    1. Apply the GPO:
      • To apply the GPO immediately, run the following command on the target computers:
          bashCopy code
      gpupdate /force
      
      ```

      - You may need to restart the computers to apply the BitLocker settings.

Once you've applied the GPO, BitLocker will be enabled on the target computers with the default settings, and users won't be required to enter a password at startup.

As for your PowerShell script, it appears that you are correctly enabling BitLocker with a recovery password protector and saving the recovery password to a specified location. If the script is not outputting anything, ensure that the variables are correctly set and that the path specified in the **`$recoveryKeyPath`** variable is accessible and writable by the script. You can also add some error handling to the script to capture and display any potential errors or issues:


```powershell
powershell
Copy code
$driveLetter = "C:"
$recoveryKeyPath = "\\server\share\BitLockerRecovery"

Try {
    Enable-BitLocker -MountPoint $driveLetter -RecoveryPasswordProtector -EncryptionMethod "AES256" -UsedSpaceOnly

    $recoveryPassword = Get-BitLockerVolume -MountPoint $driveLetter | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyType -eq 'RecoveryPassword' } | Select-Object -ExpandProperty RecoveryPassword

    $recoveryPassword | Out-File -FilePath "$recoveryKeyPath\BitLockerRecoveryPassword.txt"
    Write-Output "BitLocker enabled and recovery password saved successfully."
}
Catch {
    Write-Output "An error occurred: $_"
}
  2. Lei Tao (Shanghai Wicresoft Co Ltd) 245 Reputation points Microsoft External Staff
    2023-11-17T02:24:06.32+00:00

    Hi @Sid-0195

    To enable BitLocker and use the default settings, you can use the following steps:

    1. Open the Group Policy Management Console (GPMC) and create a new GPO.
    2. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
    3. Find the "Choose a default BitLocker encryption method and compatibility" setting and enable it.
    4. In the Choose a default BitLocker encryption method and compatibility setting, select the TPM compatible with AES 256-bit encryption option.
    5. Save and apply GPOs.

    This will enable BitLocker and use the default encryption method without having to enter a password or protect the BitLocker key at startup. Note that this requires a TPM (Trusted Platform Module) to be installed on the machine.

    Hope it helps.

    Best regards,

    Lei

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.