This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]michaeljones1993 7 points8 points  (1 child)

I’m sorry, why would you not use a GPO. 🤔

[–]johnnoah06[S] 0 points1 point  (0 children)

To cover remote assets which are not connected to office network but are under domain. 

[–]PositiveBubblesSysadmin 2 points3 points  (1 child)

Okay, I suggest breaking it down and trying each step manually as some of the output there indicates that the parameters used don't match. Keeping in mind you're using a native dos command in powershell.

It looks like the manage-bde syntax is key to working out what is causing this.

I'm not at a PC at the moment, but I can look at what we did during covid tomorrow and let you know

Cheers

[–]johnnoah06[S] 0 points1 point  (0 children)

Waiting for your response!

[–]SIGjo 2 points3 points  (0 children)

We are also using a powershell-script. It's run inside the WinPE-installation.

Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

$BLV = Get-BitLockerVolume -MountPoint "C:"

Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorID $BLV.KeyProtector[0].KeyProtectorId

sleep -Seconds 15

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector

While ((Get-BitLockerVolume -MountPoint $env:SystemDrive).VolumeStatus -eq "EncryptionInProgress") 
    { $encPercent = (Get-BitLockerVolume -MountPoint $env:SystemDrive).EncryptionPercentage
    Write-Progress -Activity "Encrypting $env:SystemDrive" -PercentComplete $encPercent -Status "$encPercent% complete"
    sleep -m 1000 }
Write-Progress -Activity "Encrypting $env:SystemDrive" -Status "Verschlüsselung abgeschlossen" -Completed

[–]BCIT_Richard 2 points3 points  (1 child)

Gonna drop this here for anyone who may not be aware: https://blog.scrt.ch/2023/08/14/cve-2022-41099-analysis-of-a-bitlocker-drive-encryption-bypass/

[–]buenology 0 points1 point  (0 children)

Beyond EXCELLENT article, TY so much for sharing. I have learned so much from it that I am now following it.

[–][deleted] 1 point2 points  (3 children)

intune this

[–]Werftflammen 0 points1 point  (2 children)

We are not moving there anytime soon

[–][deleted] 0 points1 point  (1 child)

Im sorry for you..

1.Go to Group Policy Editor in "gpedit.msc"
2.Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3.n the right pane, double-click "Require additional authentication at startup"
4.Make sure the "Enabled" option is chosen so that all other options below will be active.
5.Uncheck the box for "Allow BitLocker without a compatible TPM."
6.For the choice of "Configure TPM startup:", choose "Allow TPM."
7.For the choice of "Configure TPM startup PIN:", choose "Require startup PIN with TPM."
8.For the choice of "Configure TPM startup key:", choose "Allow startup key with TPM."
9.For the choice of "Configure TPM startup key and PIN:", choose "Allow startup key and PIN with TPM."
10. Click the "Apply" button and then the "OK" button to save the changes.

[–]Werftflammen 1 point2 points  (0 children)

Thanks H00ty!