Forum Discussion
Enable bitlocker on C: drive by GPO and save to AD
Hello community, I need help.
I want to enable bitlocker in my company, in the equipment park. With which I have to do it by GPO and I want to register the recovery keys in active directory.
My computers have the TPM chip integrated into their board, the requirements must be the following:
Encryption should be enabled automatically for system c: drive, fully encrypted drive.
The password must be random, generated automatically without the user having to enter one, and stored in AD.
These are the settings that I have configured in my gpo. Are they correct?
I have also programmed a script to launch the task by powershell:
# Check if BitLocker is active on the system
$bitlockerStatus = Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty ProtectionStatus
# Check if BitLocker is active
if ($bitlockerStatus -eq 'On') {
Write-Host "BitLocker is already active on drive C:. No action will be taken."
} else {
# Enable BitLocker with TPM protector to encrypt the entire drive
Enable-BitLocker -MountPoint "C:" -TpmProtector -SkipHardwareTest
Write-Host "BitLocker has been enabled on drive C: with TPM protector to encrypt the entire drive."
}
Can you please help me?
- Bitlocker requirements are defined based on your needs. I recommend you use the below link to configure your Bitlocker using GPO.
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#allow-enhanced-pins-for-startup
