Automatically BitLocker OS Drive using GPO

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys i was recently asked to encrypt all the workstation in the environment using bitlocker and the problem was going around and encrypting all those machines turned on bitlocker manually and all those machines was a little bit tedious and i figured that there's got to be a gpo that can be run to get this going unfortunately you can enable bitlocker as a gpo but it won't you you have to manually turn it on so that you can store the key or force it to do certain um settings for the encryption so this video is going to show you how to make um a gpo that will automatically enable bitlocker and not only just enable not only enable but also store the key in active directory in the active directory object let's go ahead and install bitlocker if you have already installed bitlocker then you can go and speed this video up but i'm gonna go through this step just in case um you haven't so let's go ahead and add that feature um to the server this is my domain controller go ahead and hit next so here we are going to select bitlocker drive encryption now one of the things you want to make sure is the the password viewer is enabled as well um if you're using an older system this may not automatically include um which you can go ahead and add that feature as well usually it's under remote and under feature admin and you'll see it right here but in in windows server i think 2016 and higher it automatically will um select this now this is going to require restart i might as well restart it anyway if your environment allows you to restart the system right now then sure go ahead and select that and go and install the bit locker it's going to take some time for this to install so i'm going to pause the video and come back when it's almost finished all right system restarted let me go ahead and log in now once you've re-logged in you're gonna notice the bitlocker window continue it's gonna complete the installation um let's give it a moment for that to complete all right so let's go ahead and open group policy management and create that bitlocker group policy i'm going to right click call it bit locker encryption deployment so bitlocker should be under administrative templates and windows components then bitlocker now i want to set up how we store this information we want to recover it in active directory let's go ahead and do that and enable and i'm going to leave everything as default and now let's do the system drive i'm gonna set it to the network unlock now i believe this is if there's a tpm chip issue um but i'm gonna go ahead and enable it anyway um i'm gonna [Music] enforce just the drive to be to use to the use space only ah didn't select and we're gonna choose how we get this information so i'm gonna leave all the defaults here you can change it um based on what your your preferences are what the company requires but this part right here do not enable bit locker until recovery information is stored in active directory so that's the part i want to make sure i have here i'm gonna go ahead and okay all right and that's it for the policy on bitlocker directly the next part of it is that we're going to now set up the i'm going to add to this policy a task scheduler that will actually enable the bitlocker using the script that i was telling you about so that's gonna be under preferences under control panel and we're looking for schedule task right click a new task and i'm gonna do the one at least for windows seven give it a name bitlocker and mind you the users won't see this in their task schedule i'm just gonna show only on the administrative side um bitlocker os drive and the user that we're gonna use is gonna be a system user so i'm gonna select group just to be sure that i could get the system user actually you're probably better off going advanced fine now and we're going to scroll down and looking for system all right there you go and want to run whether that user is logged in or not um highest privilege and so here's where we're going to have to trigger this we're going to have the unlock on any user it doesn't matter and i'd like to do a little bit of delay um just to make sure the network and everything established before it tries so i'm going to hit 30 seconds on that i've seen where you don't do a delay and it tries before the networks that establish the next one is on idle so it doesn't require the user to actually reboot for the bit locker to take effect or for this policy to get created so on idle it will um run actually i'm going to activate this policy this idle okay automatically activate okay perfect and the action is um now before we get to this part we're going to have to now share that bit locker file so users are the machines rather can get to that file so this is where i have a folder called bitlocker encryption group policy object um you could save this folder or file anywhere i just choose to put it here so once you look in here you'll see an enabling bit locker i'm gonna go ahead and share this file out so the computers can get to it so first thing i'm gonna do is the permissions for this folder i'm gonna make sure the computers have permission to this folder um so i'm gonna choose okay so groups is already there so it's gonna be domain computers let's do a check name on that and also i'm just gonna do domain users um just to make sure get full access now mind you i'm not gonna share this with full access so even though they have full access here the share permission is gonna be a little bit different so i'm gonna also gonna make this a hidden share so if someone were to try to look at view the shares of the server they won't see this one unless they know about it and right here where it says everyone i'm gonna leave it to read only all right there we go so now we have the share setup that has actually have the bitlocker file so let's go back to the policy it's kind of hard to get back in here you have to minimize everything okay uh close right here okay so now let's go ahead and add the action now we're going to use a startup program which is powershell to run this file and i need to get the location of this file so what i'll do i'll just basically go properties go under share copy the share path and just paste it in here now once i do a slash it will reveal all the files that's in there and i'm going to select it by using the down arrow and then copy everything it's just to make it easier i'm sure you can find another way to copy the actual share that's not it here you go we go in paces here this is the file it's going to run as the argument and that's it everything is set up for the policy for the scheduler it's now ready to go now i'm going to go ahead and apply this policy to the ou that my computer is in um this is going to be a workstation oh you go ahead and link the existing ou i mean policy and we are ready to go um just to show you i'm going to show you in active directory where that computer sits so on the computer there is we have two workstations in here so i'm gonna go ahead and go to the computer that we'll be working on here is it right here let me get rid of this and this will show you that there's no bit locker encryption enable on here as yet so right now this is how it is now i could do two things to get this going i could either restart the computer um to pull the policy or i'm gonna i could run it manually so let me just go ahead and run it manually on here all right let's see if we got anything still yep there it is so now here's the policy got applied so most likely the task the task schedule um was created it's gonna go ahead and confirm that that's the case and there it is bitlocker so now that it's in place i'm gonna go ahead and log off i don't think i have to reboot i'm going to log off because remember i set a policy to be on trigger or sorry the task schedule to be on trigger um for the trigger is going to be um at logon or it's going to be when the system idle that was the wrong password so now what this should be doing is uh triggering that um task schedule to run um that powershell file so i'm gonna give it a moment here take a little bit no it's gonna be there's a 30 seconds delay um and i'm not even sure when that 30 second will begin oh you know what i also forgot um and i think this is gonna be a problem you cannot have a disc inside the drive while doing this so let me go ahead and eject this disc i should have done that before so with that i think i may have to log out and log back in again all right let's see how it goes this time around one thing i noticed as well that you might come across because it tried to bit lock it might have tried the bit locker the first time and because there's a volume in there it got an error um the first thing he's going to do is i'm going to try to send the bit locker key codes to active directory um but yet failed to a bit bit lockered so since i'm going to try again it's going to send another code so you may i'm going to switch to the domain controller here and you might notice that in here let me refresh there might be a code sitting in here already and there it is so there's one code the first code when i try but there was a disk in the drive so it couldn't bit locker so now when i just log in again it tried once more so if i switch back to my workstation um it should actually start encrypting the drive but let's let's see let's confirm that and there it is so the drive is bit locker it should show our progress here to tell you how much or the status of the bit locker encryption or maybe was encrypted regardless of the drive being in there i doubt it because it sends it twice rather it send the key code twice to a bit locker so actually completed so there you go guys um this is how you bit locker um a workstation without manually right clicking on the drive and clicking on bitlocker so you can actually set up an ou or you can filter this by only um windows 10 workstations with a wmi filter um anything like that now if you want to practice this using a virtual machine like i'm doing this is a virtual machine setup i have here um let me see if i could show you one of the settings that is a key setting that you have to have security enabled have to make sure the tpm chip is enabled so you want to enable enable trust platform module once it's enabled um and i believe it doesn't like when you have a disk drive in here so you want to make sure that's taken out and don't worry about these two keys if later on where you'd actually need to decrypt this drive because of something you take the drive out you plug it in somewhere else it will tell you will tell you hey we're looking for recovery code our recovery password for this password id and when once you look at that confirm that this is what you're looking for then you provide this code here if it tells you this one then of course you provide this one here so it's nothing to worry about when it comes on to these codes here all that matter is the most recent one um and it did that because of a mistake in the system where it tried to encrypt the drive but there is a drive there was a drive already there was a c drive in there sorry not a c drive but a disk drive which caused it to not work i've seen that um before where it doesn't encrypt the drive because there's something in the the disk drive so that's about it guys thanks for watching i hope this helps you guys out my name is sean and like subscribe um and i'll be trying to do more of these videos as i go along um this is something i do at work uh so i figure if i share them any type of difficulty that someone else may have they be able to do it alright thanks for watching peace

Info

Channel: Sean Jr

Views: 54,330

Rating: undefined out of 5

Keywords: Bitlocker, Device Encryption, Encryption, Windows Bitlocker, Windows Bitlocker Encrytion, GPO Encryption, GPO Bitlocker, Bitlocker with GPO, Group Policy Encryption, Encryption Script, Automatically Bitlocker Drive, Bitlocker group policy, BitLocker group policy Windows 10, BitLocker Windows 10

Id: v7tIRK84D8U

Channel Id: undefined

Length: 15min 0sec (900 seconds)

Published: Sun Jan 17 2021