Share via

Bitlocker script not runned from all clients at startup

Federico Coppola 1,181 Reputation points
2021-05-10T12:41:06.903+00:00

Hi all,
Inside company, in the past, Bitlocker recovery keys were saved in a shared folder on file server.
All laptop are Windows 10 Professional and domain controllers are Win 2016 DataCenter.

A few days ago I installed Bitlocker roles on domain controllers and I created my first GPO to manage and store bitlocker of company laptop.
This gpo only works with laptops on which I have enabled the bitlocker after the deployment of the GPO.
Here you can see my GPO that permit domain computers to save Bitloker key on Active Directory.
95248-image.png

I would save on AD recovery key of all laptops/computers that I enabled Bitlocker before to create and deploy the "new management of bitlocker key".
I created a second GPO that runs a simple PowerShell Script to send recovery key to domain controllers.

Here, you can see the second GPO to backup recovery keys:
95301-image.png

The PS script is stored in \company.local\SysVol\company.local\Policies{9CDB32A0-1534-4B3D-86D1-F96974CB0E70}\Machine\Scripts\Startup

PowerShell script is:
$keyID = Get-BitLockerVolume -MountPoint c: | select -ExpandProperty keyprotector | where {$_.KeyProtectorType -eq 'RecoveryPassword'}
Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.KeyProtectorId

I configured security settings that permit to "Domain computer" and "Authenticated User" to read and execute this script.

I noted that not all computer inside company runned this script properly and I do not have all bitlocker recovery key on AD.

Should be wireless network an issue?
Does exist another way to backup bitlocker recovery key from laptop on which I have enabled the bitlocker before the deployment of the GPO?

Thanks for your suggestions in advance!

Windows for business Windows Client for IT Pros Devices and deployment Configure application groups
Windows for business Windows Server User experience Other
Windows for business Windows Client for IT Pros User experience Other
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavel yannara Mirochnitchenko 13,331 Reputation points MVP
    2021-05-10T17:02:45.867+00:00

    I am not sure, does GPO support PS1 scripts just like that (compared to .bat or .cmd), because Powershell permissions must be applied and it has more depencies than cmd. Consider to use Task Scheduler with GPO, and execute powershell there with set-executionpolicy.

  2. Anonymous
    2021-05-11T00:17:56.657+00:00

    Hi,
    Welcome to ask here!
    For the GPO not applying issue, it will be helpful if you can help collect the following information:
    1, When some of the computers not applying the policy well, some are good, right?
    2, Where did you link the GPO, on the domain level or the OU level?
    3, Did you configure the security filter?
    4, Please run cmd as administrator and run command: gpresult /h report.c:\html, check if there are any errors and if the GPO was applied?
    If possible, please share a screenshot here.
    For the bitlocker recovery key setup, I'm afraid i can't give you more professional advice.
    You may create a new thread and add the win10 setup tag to get more professional advice.
    Thanks for your understanding.
    Best Regards,

  3. MTG 1,246 Reputation points
    2021-05-11T08:56:23.867+00:00

    Startup scripts don't run by default, when a machine is shut down and turned on again (this process is called "fast startup"), but they only run after a reboot.
    So if you want to get them all now no matter if they use fast startup or not, deploy an immediate task via GPO that runs your powershell script as system account.

    0 comments
  4. Federico Coppola 1,181 Reputation points
    2021-05-11T17:28:54.067+00:00

    Hi all,

    @Pavel yannara Mirochnitchenko
    Thanks for your suggestion.
    In my opinion I can run PS1 script due to you can select to run CMD or PS script inside Group Policy.
    It is a good idea run script using Task Scheduler and GPO.
    Should I run "set-executionpolicy" (https://ss64.com/ps/set-executionpolicy.html) inside script?

    @Anonymous

    1. Yes some computers apply GPO, some computers does not apply it.
    2. GPO in this moment is configured on domain level
    3. I left "Authenticated User" as security filter (default security filter)
    4. I will try and I will update you

    @MTG
    Thanks for this suggestion.
    Here there is a guide: https://4sysops.com/archives/run-powershell-scripts-as-immediate-scheduled-tasks-with-group-policy/
    Of course I can set a network path where I can locate PowerShell Script in read only permission for everyone...

    Thanks
    Federico

  5. Federico Coppola 1,181 Reputation points
    2021-05-17T07:26:16.987+00:00

    Hi @Anonymous
    I waited some days and I noted that now these two laptop backup their bitlocker recovery key on Active Directory.
    In this moment I applyed this policy to just to a small Computer OU (There are just 6 laptop in this OU).
    Now all laptop has got their bitlocker recovery key in AD computer profile.

    I noted that these laptop downloaded GPO properly and I do not see errors.

    96969-image.png

    97082-image.png

    After that I noted a warning message in gpresult HTML report.
    Link is this one: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj573586(v=ws.11)?redirectedfrom=MSDN

    97081-image.png

    This link talk about Fast Startup, but it is not correlated to Windows Server 2016 and Windows 10 Professional. (Inside company there are only Win10 PC and Win2016 server).
    In the past, there was an old 2008 domain controller that I demoted one year ago.

    Thanks for your support and help.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.