/build/static/layout/Breadcrumb_cap_w.png

K2000 Deployment - store bitlocker key in AD only works on first domain GPO update

Dear support,


I'm hoping somebody could give me some additional brain thoughts on the following matter:

- We have a succesfull windows 10 deployment which adds the laptop to our domain.

- This domain has a GPO which mentiones that bitlocker keys should be stored in AD on the computer object.

-  One of the final tasks is to enable bitlocker but as this is a deploymen this task is run as the local admin user defined in the K2000 deployment file.

- As this is a local user, and no domain user has been logged on before, the GP defining to store the bitlocker key is not triggerd and the key is not stored in AD.


So at this point there is a manual step at the end by logging on as a domain admin/user to fetch the first GP's and then enable the bitlocker key;


Does anybody have an idea how I could enable bitlocker as a domain user, keeping in mind that the GP from the domain should be know to store the key?


Thanks

Kristof


2 Comments   [ + ] Show comments
  • You could create a BAT file script, and tell it to run as your Domain Admin, instead of the local admin account:

    see:
    https://stackoverflow.com/questions/25030971/batch-file-that-runs-cmd-as-a-different-user-and-executes-command-lines

    https://social.technet.microsoft.com/Forums/ie/en-US/e20ddf85-26ba-45a7-a987-89de076eda23/solved-run-program-as-different-user-through-batch-file?forum=ITCG

    https://www.windows-commandline.com/windows-runas-command-prompt/

    https://ss64.com/nt/runas.html - Channeler 5 years ago
  • Hi Channeler, thanks for the info - I tried that as well but the problem is that when running this script, the gpo is not firs updated. - anonymous_148785 5 years ago

Answers (1)

Posted by: Timokirch 5 years ago
5th Degree Black Belt
1

Hi Krikke,

you can use an SMA script to completle manage Bitlocker without the need of a GPO. https://www.itninja.com/blog/view/kace-sma-bitlocker
This would have several benefits:

  • eliminating the problem you are describing
  • automatic reenrollment of bitlocker if someone has turned it off (or just forgot to enable it again)
  • works within and outside your domain (traveling users, homeoffice, etc.) without VPN.
  • Logging made easy

Kind Regards

Timo

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ