none
Enable Bit-locker on 300+ users 10 machines RRS feed

  • Question

  • Hi All,

    I have to enable Bit locker on all 300+ machines (this contains mostly domain joined , unjoined machines and remote workers.

    I am aware about the group policy to deploy but the issue is i  dont want users to encryp the drives by themselves . Is there any automation which can do this thing for all users ??

    Your help is Highly appreciated.

    Regards

    Abhay

     


    Regards Abhay

    Wednesday, October 2, 2019 6:20 AM

All replies

  • Hi,

    As far as I know, there are no user-specific policies in GPO templates for BitLocker.

    To restrict user from encrypting the drives by themselves, make sure these users are not in the local administrators group. Then when they want to encrypt drives, admin user name and password will be needed.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 3, 2019 5:45 AM
    Moderator
  • Hi,

    As far as I know, there are no user-specific policies in GPO templates for BitLocker.

    To restrict user from encrypting the drives by themselves, make sure these users are not in the local administrators group. Then when they want to encrypt drives, admin user name and password will be needed.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hi David,

    I mean there should be some sort of Automation is required where user intervention is  no or least.


    Regards Abhay

    Thursday, October 3, 2019 1:40 PM
  • Hi,

    As far as I know, there are no user-specific policies in GPO templates for BitLocker.

    To restrict user from encrypting the drives by themselves, make sure these users are not in the local administrators group. Then when they want to encrypt drives, admin user name and password will be needed.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Hi David,

    I mean there should be some sort of Automation is required where user intervention is  no or least.


    Regards Abhay

    I think that depends on the right MBAM/Bitlocker policy settings.


    Obinna C. Onwusobalu ~ MCSA MCTS MCITP

    It's all fun and games until someone divides by zero.

    windowshelper.home.blog

    Thursday, October 3, 2019 11:01 PM
  • Hi Abhay,

    I use a combination of the GPO settings and a PowerShell script. I have wrote an article to this in german. Here is the link with google Translater in english: http://translate.google.de/translate?hl=de&sl=de&tl=en&u=https%3A%2F%2Fwww.infrastrukturhelden.de%2Fmicrosoft-infrastruktur%2Fmicrosoft-windows%2Fclient%2Fwindows-10%2Fbitlocker-mit-windows-10-und-power-shell.html

    The Powershell Script can used with a software distribution system like SCCM, Avanti or something else. If you do not have such a tool, you can use a Run once scheduled task within the same GPO. But I recommend, to have more control, to use a security filtergroup and perform a rollout in waves.

    Here is the script to avoid translation issues (It is written to set a BitLocker PIN, you can change this if needed):

    $Pin = ConvertTo-SecureString "123456" -AsPlainText -Force
    Add-BitlockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector
    $BLV = Get-BitLockerVolume -MountPoint "C:"
    Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0] .KeyProtectorId
    Enable-BitLocker -MountPoint C: -TpmAndPinProtector -Pin $Pin -SkipHardwareTest
    While ((Get-BitLockerVolume -MountPoint $env:SystemDrive).VolumeStatus -eq "EncryptionInProgress") {
    $encPercent = (Get-BitLockerVolume -MountPoint $env:SystemDrive).EncryptionPercentage
    Write-Progress -Activity "Encrypting $env:SystemDrive" -PercentComplete $encPercent -Status "$encPercent% complete"
    sleep -m 1000
    }
    Write-Progress -Activity "Encrypting $env:SystemDrive" -Status "Done" -Completed


    Viele Grüße
    Fabian Niesen
    ---
    Infrastrukturhelden.de
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own

    Sunday, October 6, 2019 7:21 AM