none
Permission Denied error trying to deploy Bitlocker through Group Policy RRS feed

  • Question

  • I am trying to deploy Bitlocker on Windows 10 in an Active Directory 2012 functional level environment via a Powershell script that runs at startup. TPM is enabled and working, and it doesn't seem to matter what manufacturer made the laptop in question. Most are either older Lenovo X1 Carbons or newer Dell laptops. 

    The script works when run manually as a local administrator account, but fails with the error "a required privilege is not held by the client" if run on startup by GPO. The command that fails (but works fine if launched as an admin) is 

    Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector

    What permissions or privileges are required for this command to execute? I have used whoami /priv to try to track it down, but without success. I can't identify any privileges that local administrators have but the System account does not. 

    Any suggestions? 

    Monday, September 16, 2019 1:53 PM

All replies

  • Use psexec for a test.

    On an elevated command prompt, run

    psexec -s -i cmd

    then, on the new command prompt, which runs as system account, launch

    manage-bde -on c:

    What does it say?

    Wednesday, September 25, 2019 7:07 PM
  • Use psexec for a test.

    On an elevated command prompt, run

    psexec -s -i cmd

    then, on the new command prompt, which runs as system account, launch

    manage-bde -on c:

    What does it say?

    That appears to be successful, but so was manually launching the script under psexec -s. For some reason it doesn't work when launched by a GPO script even though startup scripts run as the system account. 

    Thursday, September 26, 2019 6:38 PM