Turn on BITLOCKER with a GPO

Marshall 11 Reputation points
2021-09-02T17:05:24.653+00:00

Hi all,
I would need to turn on Bitlocker with a GPO.
I've created a policy where I've added the ps1 below to the startup:

 $CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'  
  
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {  
    C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest  
}  

but it only works when I run it by opening powershell locally and "as administrator"

this is the error that I receive when not running as administrator:

128737-screenshot-2021-09-02-at-190224.png

any suggestions?
Thank you very much

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,917 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,055 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Limitless Technology 39,461 Reputation points
    2021-09-03T10:01:00.147+00:00

    Hello Marshall

    I do it in a different way, using purely group policy

    1.Go to Group Policy Editor in "gpedit.msc"
    2.Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
    3.n the right pane, double-click "Require additional authentication at startup"
    4.Make sure the "Enabled" option is chosen so that all other options below will be active.
    5.Uncheck the box for "Allow BitLocker without a compatible TPM."
    6.For the choice of "Configure TPM startup:", choose "Allow TPM."
    7.For the choice of "Configure TPM startup PIN:", choose "Require startup PIN with TPM."
    8.For the choice of "Configure TPM startup key:", choose "Allow startup key with TPM."
    9.For the choice of "Configure TPM startup key and PIN:", choose "Allow startup key and PIN with TPM."
    10. Click the "Apply" button and then the "OK" button to save the changes.

    Hope this helps in your case,

    Best regards,

    1 person found this answer helpful.

  2. Marshall 11 Reputation points
    2021-09-06T10:33:31.437+00:00

    Hi LimitLess,
    thanks for you reply!
    I created a policy with your instructions but unfortunately the bitlocker it's still not applied:

    129592-screenshot-2021-09-06-at-122932.png

    any suggestions ?

    Thanks you very much

    Best regards

    0 comments No comments

  3. MTG 1,201 Reputation points
    2021-09-06T12:43:06.253+00:00

    GPOs alone cannot encrypt (unless you have MBAM).
    See my article. It uses a GPO to start it scripted: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html?preview=hG26jVC1xow%3D

    0 comments No comments

  4. Francois Jacobs 1 Reputation point
    2022-05-31T14:37:57.68+00:00

    Hi

    i have BitLocker turned on but it keeps asking me for a password when i startup
    is there a way to turn it on without the need to enter a password with every startup?