K2000 Deployment - store bitlocker key in AD only works on first domain GPO update
Dear support,
I'm hoping somebody could give me some additional brain thoughts on the following matter:
- We have a succesfull windows 10 deployment which adds the laptop to our domain.
- This domain has a GPO which mentiones that bitlocker keys should be stored in AD on the computer object.
- One of the final tasks is to enable bitlocker but as this is a deploymen this task is run as the local admin user defined in the K2000 deployment file.
- As this is a local user, and no domain user has been logged on before, the GP defining to store the bitlocker key is not triggerd and the key is not stored in AD.
So at this point there is a manual step at the end by logging on as a domain admin/user to fetch the first GP's and then enable the bitlocker key;
Does anybody have an idea how I could enable bitlocker as a domain user, keeping in mind that the GP from the domain should be know to store the key?
Thanks
Kristof
Answers (1)
Hi Krikke,
you can use an SMA script to completle manage Bitlocker without the need of a GPO. https://www.itninja.com/blog/view/kace-sma-bitlocker
This would have several benefits:
- eliminating the problem you are describing
- automatic reenrollment of bitlocker if someone has turned it off (or just forgot to enable it again)
- works within and outside your domain (traveling users, homeoffice, etc.) without VPN.
- Logging made easy
Kind Regards
Timo
see:
https://stackoverflow.com/questions/25030971/batch-file-that-runs-cmd-as-a-different-user-and-executes-command-lines
https://social.technet.microsoft.com/Forums/ie/en-US/e20ddf85-26ba-45a7-a987-89de076eda23/solved-run-program-as-different-user-through-batch-file?forum=ITCG
https://www.windows-commandline.com/windows-runas-command-prompt/
https://ss64.com/nt/runas.html - Channeler 5 years ago