/build/static/layout/Breadcrumb_cap_w.png

Systems Deployment Question


K2000 Deployment - store bitlocker key in AD only works on first domain GPO update

12/04/2019 156 views

Dear support,


I'm hoping somebody could give me some additional brain thoughts on the following matter:

- We have a succesfull windows 10 deployment which adds the laptop to our domain.

- This domain has a GPO which mentiones that bitlocker keys should be stored in AD on the computer object.

-  One of the final tasks is to enable bitlocker but as this is a deploymen this task is run as the local admin user defined in the K2000 deployment file.

- As this is a local user, and no domain user has been logged on before, the GP defining to store the bitlocker key is not triggerd and the key is not stored in AD.


So at this point there is a manual step at the end by logging on as a domain admin/user to fetch the first GP's and then enable the bitlocker key;


Does anybody have an idea how I could enable bitlocker as a domain user, keeping in mind that the GP from the domain should be know to store the key?


Thanks

Kristof

2 Comments   [ + ] Show comments

Comments

  • You could create a BAT file script, and tell it to run as your Domain Admin, instead of the local admin account:

    see:
    https://stackoverflow.com/questions/25030971/batch-file-that-runs-cmd-as-a-different-user-and-executes-command-lines

    https://social.technet.microsoft.com/Forums/ie/en-US/e20ddf85-26ba-45a7-a987-89de076eda23/solved-run-program-as-different-user-through-batch-file?forum=ITCG

    https://www.windows-commandline.com/windows-runas-command-prompt/

    https://ss64.com/nt/runas.html
  • Hi Channeler, thanks for the info - I tried that as well but the problem is that when running this script, the gpo is not firs updated.

All Answers

1

Hi Krikke,

you can use an SMA script to completle manage Bitlocker without the need of a GPO. https://www.itninja.com/blog/view/kace-sma-bitlocker
This would have several benefits:

  • eliminating the problem you are describing
  • automatic reenrollment of bitlocker if someone has turned it off (or just forgot to enable it again)
  • works within and outside your domain (traveling users, homeoffice, etc.) without VPN.
  • Logging made easy

Kind Regards

Timo

Answered 12/04/2019 by: Timokirch
2nd Degree Black Belt