This video demonstrates how to encrypt Windows System Volume using Group Policy Object (zero-touch encryption). Download BitLocker Script. drive.google.com/drive/folder...
Was about to do this on 50 computers spread around the country - thank you for a brief explanation, I felt totally overwhelmed by the deployment-script stage. I'm going to do some tests and pray for the TPM-modules being activated! :- )
@wibbers2000
3 жыл бұрын
Have been looking for a while and tried a number of things... this worked first time and everything you need is here. Thanks
@brianchew9228
3 жыл бұрын
Thank you SO MUCH! My Admin left and my company is on "hiring freeze" and I need to get this done. I would buy you a cup of coffee if I meet you in person. Thanks once again.
@seanjr4387
3 жыл бұрын
I'm glad I was able to help. It's a challenge I was given myself. I figure it would help someone else. Thank you.
@johnhampe4214
Жыл бұрын
Sean, absolute genius dude! Well done!
@RayHampton
Жыл бұрын
Excellent walk-through. Thank You!
@bsoliman5737
10 ай бұрын
Just tried this...worked perfectly! Thanks!
@Buksie9
2 жыл бұрын
Amazing tips. Thanks Sean!
@kyleelam4337
7 ай бұрын
You sir are an absolute legend.
@andersonmota4392
Жыл бұрын
Thanks! Working perfectly!
@christopherdesouza8334
Ай бұрын
Not bad. To avoid multiple keys change the scheduled task. Go to common tab and check the apply once and do not reapply checkbox. Otherwise everytime device is idle or login occurs it will record a new key and eventually have tons in active directory. Also would have the group policy create scheduled task not update as it will reset task like it has not been run and cause same multi key entries. Plus there is a bug where it will mismatch and possible that no key works. Resetting a device later and needing that key will be a real problem. The way we do this is actually to create a registry key via group policy the applies script to runonce for same purpose but find it is much more consistent.
@FaithfulMC
2 жыл бұрын
Thanks, seems to work perfectly
@yaaj008
Жыл бұрын
Great work Sean Jr. Works perfectly. Really appreciate sharing this video, just a question on enabling it on data disks
@MrMilesThompson
9 ай бұрын
Thanks! worked like a charm
@jsrizo01
Жыл бұрын
Works like a charm!
@stefanogensabella3749
Жыл бұрын
Super useful, thanks
@HardWorkZz
Жыл бұрын
Hi Sean, Thank You So much. Works Perfectly in My Company. 10/10 !!! =) =) =)
@keventagolgol8899
Жыл бұрын
do you have a copy of scripts?
@252ruud
Жыл бұрын
Thank you!
@xrated_
2 жыл бұрын
It works also without script, i believe the gpo option is "enforce bitlocker on os drive". At least this is what i found out by mistake.
@Ntinsky
3 жыл бұрын
Great video. Thanks for sharing the knowledge. One question though. Will the GPO automatically enable Bitlocker for a fixed drive and/or a removable drive if configured? Cause for the OS drive you used the script with the task scheduler to trigger the Enable action. Or do i have to modify the script somehow to include a drive D or E for example. Any advice will be highly appreciated. Keep up the good work
@MattEOKC
8 ай бұрын
This worked like a charm! Thanks for the video! One thing I learned was that if a PC has BitLocker On already, you will have to disable it and then reboot and let the policy turn it on in order for AD to pickup the key. AD will not pick up the key except during generation.
@osamaelnabawy462
6 ай бұрын
can i disable it for all devices by GPO or manually?
@fadynagy9183
Жыл бұрын
Hi Sean, first thank you, i have tested on a virtual environment and it is working but is this script woks only for system drives because i have D Drive and it did not enable bitlocker on it ?
@TheDJZeroX
Жыл бұрын
Does this script also work on machines with a different language? Since the findstr searches for english words?
@sodalinsen
2 жыл бұрын
How can we let the user create the password by themself? Example: Once the machine startup or logon then it requires to have dialog box for the password? Is there anyway to do that?
@charlesbuzz
2 жыл бұрын
great video, your link point to a batch file, but in your video you refer to a powershell script
@baboo84
2 жыл бұрын
My problem is the TPM chip isn't even activated in BIOS on many systems. Is there a way to activate the TPM chip in the BIOS from the DOS command line or Powershell?
@fredphish3676
2 жыл бұрын
No one seems to have noticed that the script settings with a scheduled task set to run at idle means that this script will run constantly throught the day on the PC forever even after the drive has been encrypted, or until the scheduled task is removed
@seanjr4387
2 жыл бұрын
Hi Fred... I completely understand your concern. In the script, it's set to ignore if the volume is already encrypted. But if that's a problem you can set the task to run once on the computer.
@franklinmoreno3805
Жыл бұрын
Hello, I have applied what you indicate in the video, but bitlocker cannot be applied to drive C:, could you help me?
@davebyers9567
5 ай бұрын
What are you using to display the system information on your desktop?
@Lockmaw2011
2 жыл бұрын
Hello Sean JR. G great video and article. But I have the challenge for multilingual clients (German, Spanish) - it looks like your script only runs on English OS. Do you have a solution for this? Many Thanks.
@rakshithshaz6221
Жыл бұрын
Hi sean, Could you please help me out with enabling fixed drives automatically. Im a fresher to this field. Please help me out. Im stuck.
@fabriciomattos16
21 күн бұрын
Even though the GPO is confugured, do I need to enable BitLocker manually?
@jamesjames601
4 күн бұрын
It works without running the batch file
@umesh21071990
3 жыл бұрын
As per ur video, GPO works fine for me, can u tell me will it works for the system which having multiple drives?
@ahmedtaher4232
2 жыл бұрын
up
@steffan23
3 ай бұрын
i'm seeing multiple entries of keys stored on a computer's AD object. is this a result of the idle time?
@mocofred4029
3 жыл бұрын
WHERE DID YOU GET THE BATCH FILE FROM? HOW DID U CREATE IT? ANY VIDEO FOR THAT? SORRY ABOUT THE CAPS
@seanjr4387
3 жыл бұрын
The URL to download the script/batch file is in the description.
@JDavis-pz4bv
3 жыл бұрын
Search GitHub.
@roti_pani
9 ай бұрын
Is it compulsory to have TPM in users computer for this to run ? What if we are using VM ?
@yessayan82
3 жыл бұрын
thanks for the very useful info, wat if the GPO is applied to an OU what will happen to some PCs where bitlocker is already enabled ? it will re-enable them or stay as they are ?
@seanjr4387
3 жыл бұрын
Good question! I'm not sure. I would expect it to automatically add the key to the AD object. It should be a fairly easy test. See what happens when you try to Bitlocker a computer that was already encrypted.
@yessayan82
3 жыл бұрын
@@seanjr4387 hi, i found that the script didnt change anything on PCs which are already bitlocked it didnt even backup the key to AD, so you have to manually backup the key or create a GPO to do so
@user-yu2dp9cf2v
4 ай бұрын
Something weird happened to me, this procedure worked for me pretty well a couple of months ago, but I try to run it again and it doesn't work, it creates the Schedulled Task but it runs with operative code 2. Any idea?
@user-sz1fe7er5e
7 ай бұрын
Hi, is it possible to enter n GPO that at the time that disk is starting to encrypt that user would be prompted to enter PIN as additional layer of security? mostly for laptops that can be stolen
@nevillbowyer4175
2 ай бұрын
You should be able to do this by updating the GPO to require PIN.
@purepure8950
7 ай бұрын
Where did he get the script???
@LiamGaffey-pi9en
3 ай бұрын
ive managed to get it to pushout with all these settings but the Task Schedular doesnt seem to run correctly. showing it has ran but not starting the Encryption, but when you force the task to run manually it works -_- any ideas?
@nevillbowyer4175
2 ай бұрын
It might be the user that the task is running as. Or it could be a conflicting policy in your environment.
@rezaeshraghi613
3 жыл бұрын
thanks for your video, but i have tried to run script, it comes some error and it is not working! could you please help me
@tristanjaybusto2101
2 жыл бұрын
Thank you so much for this video. I just want to ask after I enable the feature(Bitlocker Encryption) in our Windows 2016 server after restart. When I open GPM Editor at Windows Components when I select the BitLocker encryption I can't see the any folder inside it unlike yours. I can see only: Turn on Bitlocker ...... Control Panel Setup: ...... Control Panel Setup: ...... Control Panel Setup: ...... Configure encryption method Prevent memory overwrite on restart Configure TPM ..... Hope anybody can answer my question.. Thanks and much appreciated.
@relucraciun6352
2 жыл бұрын
Thanks Sean Jr. Super! I managed to test GPO with task scheduler and script and everything went just fine. How can I extend encryption to all fixed data drives ? because we also have more then one partition in some computers. in GPO I made the change but the script only handles %systemdrive%. Any help is welcome. Thanks!
@niklas4865
2 жыл бұрын
Hey. I have created a PowerShell script. Batch is not really my strength. It checks for all local drives with partitions and encrypts them with Bitlocker. Also the Bitlocker is then restored to the AD. Maybe it helps one or the other. Instead of the batch script select the Powershell script. drive.google.com/file/d/1IYMOmckcjAmAR8oqrh7--Y3-8BVY1pbR/view?usp=sharing
@Nav_Ox
2 жыл бұрын
Thank you for creating this video and sharing the script. If we wanted to modify this to include other drive volumes how would we go about adding "D:" "E:" Etc? Also do you have a social media / email account you could share? I checked your channel for contact info but was not able to locate that. @Sean Jr thank you again.
@metalstez88
Жыл бұрын
Hello, i need some help because this doesn't work on some PC, the schedule task is present but encryption won't start and the key is not saved on AD, i have 20 pc failing on this, on others works perfectly, thanks for help, is there any log or something to troubleshoot?
@DusanSRB96
Жыл бұрын
Check all steps in the video again and all devices must have TPM 1.2 or newer so this could work
@yip50685545
Жыл бұрын
setup all, but computers doesn't run auto-encryption. Any idea? can access the bat file. manually run bat is fine
@interstellaroverdrive3658
Жыл бұрын
I'm having the same issue.
@userbox0029
Ай бұрын
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
@johnredo8347
3 жыл бұрын
The scheduled task will run, but the script itself does not appear to be running. If i run the script manually on the local PC, it works fine. Any ideas what I could check?
@seanjr4387
3 жыл бұрын
Just in case the file is being blocked on the DC share, right-click the file, go properties and under the General tab look for the unblocked button. Example: stackoverflow.com/questions/15263523/batch-file-to-unblock-files-copied-from-internet
@fatbinmuadh8330
2 жыл бұрын
@@seanjr4387 hi sean, thanks for sharing the tutorial and script. do we have to necessarily place the script on a domain controller? or any file server will do? thanks in advance.
@rerazol
2 жыл бұрын
Hi Sean, i try to doesn't work, i run the script manually and i get the message "It looks like your system require that you run this program as an Administrator.", what is wrong?
@KarlTheYeetus
2 жыл бұрын
Have you checked the box of run with highest privileges on the task scheduler?
@thomasweingart9005
Жыл бұрын
I have the same problem. I have set the checkmark with "Execute highest priority". What was the solution? Thank you.
@userbox0029
Ай бұрын
I have set to run the script under "System", but the script works when I login under an Administrative account, but it does not work when I login under an account without administrative rights.
@Akira29H
3 жыл бұрын
Are you using MBAM?on this
@FranklinChekani
2 ай бұрын
script worked flawlessly. Just curious, where does the script store recovery key? assuming did not say to save in ADDS
@nevillbowyer4175
2 ай бұрын
It's saved in ADDS. Go to the Properties of the Computer Object and you'll see a BitLocker Tab. 12:03 If you're not seeing the tab, you might have to rewatch the video where I install the BitLocker role. I hope this helps.
@lsync3707
2 жыл бұрын
is it possible to enable and store the key for fixed data drives?
@sodalinsen
2 жыл бұрын
Yes, we have this option from GPO is called "Choose default folder for recover password" then define your location.
@lsync3707
2 жыл бұрын
you can fix it by changing C drives letters from the scrip to whatever you want. in my case i changed with d and created another script.
@RK-ly5qj
3 жыл бұрын
The question is, why you didint choose to encrypt FDE(full disk) ? Form organization and protection perspective its much much more secure ^^ And what about devices that doesnt have TPM module etc ?;)
@JDavis-pz4bv
3 жыл бұрын
Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM. Haven't tested it but give it a shot.
@logiq6053
2 жыл бұрын
Does anyone got the script to work for all the drive?
@Kilerboy552
2 жыл бұрын
Up, I have a same question too
@muhammadasif4916
2 жыл бұрын
i like your video but you did not show how create at 6:01 plz some one explain me how to create file EnablingBitlocker in the folder GEGPO.
@seanjr4387
2 жыл бұрын
Hi Muhammad, I'm glad you like this video. You can download the BitLocker script in the description. I hope this helps.
@TechJPC
2 жыл бұрын
How did you get all of your network info on your desktop?
@nathanstotts7431
Жыл бұрын
bginfo
@aradoc3951
3 жыл бұрын
Trying to get this to work for hours now...... But it just don't want to work. Looks like I have to manually enable Bitlocker on 300 computers......
@tristanjaybusto2101
2 жыл бұрын
:((
@Akira29H
3 жыл бұрын
Is the key being ramdomised? Also how to enable bitlocker when pc boot up it wont prompt user to key the locker key?
@seanjr4387
3 жыл бұрын
Question #1: Yes. BitLocker generates a random encryption key. The script is just enabling BitLocker and storing the key in AD. Question #2: The gpo you create, you have to define how you want BitLocker to unlock. Review the gpo settings you created to make sure Network Unlock and/or TPM unlock is enabled.
@Akira29H
3 жыл бұрын
@@seanjr4387 hi do you have documentation with tpm only authentication?or guideline
@amitals01
Жыл бұрын
What needs to change in a batch file, if we want to encrypt a data drive like a D drive.
@Siraj_Ather
Жыл бұрын
Did you found the answer im also searching for the same
@troystory7389
Жыл бұрын
@@Siraj_Ather I am also looking to encrypt two disks C: and D: on a workstation
@epjrxviii3315
3 жыл бұрын
Thanks for sharing. Could the user still able to open the laptop/desktop even the device is not connected to the network?
@seanjr4387
3 жыл бұрын
Yes. The TPM chip will allow the user to login as long as it does not detect any changes on the Motherboard or new boot device.
@epjrxviii3315
3 жыл бұрын
@@seanjr4387 Thank you
@fatbinmuadh8330
2 жыл бұрын
question - 1) when the machine starts after encryption completed, will it require the user to type a password to unlock the drive? 2) can we apply the same script if we want to implement bitlocker that is not base on TPM? password method. thank you in advance.
@Akira29H
3 жыл бұрын
Have you done it with bitlocker +TPM only? and if this done via GPO what happens if the PC is Work from home.
@platini64
2 жыл бұрын
It should work if you have connectivity to your AD e.g using a vpn connection
@MikesGarageWorks
Жыл бұрын
This only works with a batch file. How do I get a PowerShell script to run instead of a batch file? the script works perfectly when ran manually, however closes immediately and doesn't even start the transcript when executing as system at user login.
@seanjr4387
Жыл бұрын
What made you configure it to run at User Login and not via Task Scheduler at system startup?
@MikesGarageWorks
Жыл бұрын
@@seanjr4387 my script is enabling bitlocker and initializing tpm. File hosted on dc, network not available at startup for laptops.
@MikesGarageWorks
Жыл бұрын
@@seanjr4387 actually, startup script works fine now. So nevermind, however would still be nice to know the solution. I could see maybe needing to schedule a task as system to run a power shell script from a network drive. Absolutely nothing I have tried will allow the system account to get past execution policy restrictions.
@SinodosAmaha
11 ай бұрын
@@MikesGarageWorks i used bat file too cuz the script didnt work for me , how did it work for you ?
@MikesGarageWorks
11 ай бұрын
@@SinodosAmaha I ended out placing as a startup script in GPO and hosted the script on NETLogon. The script is PowerShell and runs before login.
@christopherrich6190
16 күн бұрын
My issue is that the GP is getting pushed out but the Scheduled task isn't. Not sure why but I thought about pushing the script out one time to the PC's since it only has to be run once. Would that that?
@jrelvio
6 ай бұрын
Excellent. And for computers that do not have a TPM chip. Does it work?
@nevillbowyer4175
2 ай бұрын
Usually you can define the requirements in the BitLocker GPO. But I believe my script is looking for a TPM chip.
@ashoksan14
3 жыл бұрын
I can't your description link to download that bat file.
@seanjr4387
3 жыл бұрын
I tested the URL and it works fine for me using while using my browser in Incognito. What is the error you receiving?
@ashoksan14
2 жыл бұрын
@@seanjr4387 thanks, I have downloaded. Thanks a lot..
@ashoksan14
2 жыл бұрын
@@seanjr4387 do you idea about AD migration.
@princec4933
3 жыл бұрын
Hi How to enable bitlocker for C D and E drive with pin or password. i dont have TPM on my laptop please assist me., your answers are highly appreciated.
@enricomora736
3 жыл бұрын
will this also encypt removable drives?
@seanjr4387
3 жыл бұрын
No. You have to turn on Removable drive encryption in your gpo.
@TechJPC
2 жыл бұрын
Does this require a password to be entered everytime a bitlocked computer is restarted?
@seanjr4387
2 жыл бұрын
Based on the video, no. That option is controlled by the GPO.
@keithambio2502
4 ай бұрын
@@seanjr4387 so curious what encrypting the drive does if there isn't a password needed when you boot, what does the encrypt part secure?
@pizppizp
Жыл бұрын
hi the task is not running for me any ideas?
@SinodosAmaha
11 ай бұрын
it works start task schduler as admin
@jdas1668
2 жыл бұрын
Hi Sean Some drive are not showing in bit locker option . How to solve the problem. Please reply
@sodalinsen
2 жыл бұрын
I have the same question. Mean that it works only system drive itself.
@galaxyguy9873
3 ай бұрын
hold up. why would you have to add roles and features when it definitely already there by default on every single windows 11 machine???????
@nevillbowyer4175
2 ай бұрын
The role is so you can create a BitLocker policy. For example, you need a policy telling the script or a user who manually tries to BitLocker their computer to not BitLocker the computer unless the key is stored in ADDS. Plus you'll need the role so you can see the recovery key. I hope this helps.
@rickglorie
24 күн бұрын
And this is for your domain controller(s), not on the clients.
@valeriomarino7597
Жыл бұрын
Not Working for me dear..
@lanzarin_
3 жыл бұрын
Hi Sean Jr Thanks so much! I am not able to run the script manually. Although I run with administrator permissions, it always falls under: ElevateAccess. Any suggestion?
@seanjr4387
3 жыл бұрын
What is the error? What tool are you using?
@philippwalkenhorst7979
2 жыл бұрын
I have the same issue. i run the script with different admins but everytime i get to :goto elevateaccess Any ideas ?? Thx
@philippwalkenhorst7979
2 жыл бұрын
@@seanjr4387 pls help
@TommyTheHeist
3 жыл бұрын
what is inside that begpo file? I dont have it
@seanjr4387
3 жыл бұрын
I'v provided a link in the description. You should be able to download it.
@TommyTheHeist
3 жыл бұрын
@@seanjr4387 but this works only if you have TPM, right? Lets say I dont have it but I still want to encrypt and I want to force people to enter password of their choice and put recovery backup on my server, active directory. I assume that this works only with tpm because im not required to enter a password
@princec4933
3 жыл бұрын
@@seanjr4387 i got the error when i check your descriptions and it sayds The requested URL was not found on this server. That’s all we know.
@JDavis-pz4bv
3 жыл бұрын
@@TommyTheHeist Try Group policy > Computer Config > Admin Templates > Windows components > Bit Locker encryption > Require additional authentication > enable, Allow Bit Locker without compatible TPM.
@Akano1
3 жыл бұрын
@@seanjr4387 I can't find the link for the script. Please share again.
@tanjidamunne1567
Жыл бұрын
Can you share the script file, please?
@keventagolgol8899
Жыл бұрын
do you have script?
@BSA-Studio
2 жыл бұрын
Those steps don't work for me. Do they work for anyone ?
@keventagolgol8899
Жыл бұрын
I need a copy pf script file
@ranno525
Жыл бұрын
same here
@Hodenkat
Жыл бұрын
What is the batch file?
@seanjr4387
Жыл бұрын
You can find the batch file via the link in the description.
@Hodenkat
Жыл бұрын
@@seanjr4387 Thank you. This entire process did not work. I followed the steps carefully twice on two virtual machines and nothing happens. The task shows in Task Sceduler, and the GPO shows when I do a gpresult /r but nothing happens. I have made sure the policy is enforced and all settings are correct. Running the script (EnablingBitLocker.bat) in Powershell ISE shows many errors. I will try it a 5th time along with this video and hopefully I will figure out what I'm doing wrong.
@shevonnedixon583
10 ай бұрын
how do i prompt the user to enter a password
@seanjr4387
9 ай бұрын
You can control this part from the GPO. Explore Group Policy options for Bitlocker.
@matthewsharrer2203
3 ай бұрын
I noticed that the batch file is missing a couple of GOTOs/batch labels: :VerifyBitLocker for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="AES" goto Inprogress ) for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="XTS-AES" goto Inprogress ) for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do ( if "%%A"=="None" goto EncryptionFailed ) Inprogress and EncryptionFailed do not exist. This will result in either, "The system cannot find the batch label specified - Inprogress", or "The system cannot find the batch label specified - EncryptionFailed".
@matthewsharrer2203
3 ай бұрын
Unless the intention was to monitor the progress (which I doubt given the text in the EncryptionCompleted block), I would recommend to replace Inprogress with EncryptionCompleted. One can also create the block for EncryptionFailed: :EncryptionFailed echo. echo ============================================================= echo = System Volume Encryption on drive (%systemdrive%\) failed. = echo = The script was able to make it past the TPM steps. = echo = Encryption was not turned on. = echo ============================================================= echo Closing session in 30 seconds... TIMEOUT /T 30 /NOBREAK Exit What would be helpful is to get output that explains why the encryption failed, but at least this doesn't result in any errors, and explains that at least the TPM part was passed.
@keithambio2502
3 ай бұрын
I'd love your fully edited file... I'm script/programming deficient
@huseman21
Жыл бұрын
But most places users are not administrators.
@Lofote
Жыл бұрын
Thats how it should be.
@mahmoudaljariri9282
7 ай бұрын
That's why he used the system user
@keventagolgol8899
Жыл бұрын
Share the Bitlocker script
@andrewcarpenterCC
Жыл бұрын
It's linked in the video description
@mammamia-qx5pz
Ай бұрын
The "Store bitlocker recovery information in active directory domain services" gpo is only applicable for windows server 2008 and vista, try reading the shit you're doing before making a video guide on it and misinforming everyone
@Jackalas974
Жыл бұрын
Hi. Nice tuto but for me : Task Don't show on client. Key does not upload to Active Directory =====SOLVED===== edit : Ok, it was 2 mistakes/error : -1 In french, username is "AUTORITE NT\System" but mapping is not good with this ID, use english ID instead (as you shown) -2 In script "goto ElevateAccess" block the script even if launch in Admin mod. Comment it solved the issue
Пікірлер: 155