Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, November 19, 2015 10:13 AM
Not sure if its possible but i want to enable bit locker during the OSD on my windows 10 machines which dont have a TPM, i don't want to use a USB key either but a startup password (recovery key saved to AD is plus) which i can do manually but i cant seem to find the option when creating a task sequence can this be scripted?
All replies (6)
Thursday, November 19, 2015 12:58 PM ✅Answered
To save the recovery key to AD you will need to prepare AD to be able to get the key`s.
If you are running a DC 2012 + add the Bitlocker Drive Encryption Administration feature.
After that you will make a GPO to make sure computer in your domain can only encrypt the drive when they are on the domain and to have that key save to AD. You should find this in the computer -->windows component -->bitlocker
For the task sequence part (dont have access to SCCM right now) i think you need either a usb key or TPM. But you could make a powershell script that let's you start the bitlocker process (i would do it either as a post action or near the end.)
Also if you plan on using Bitlocker have a look at MBAM it work very well with SCCM.
Windows 10 as powershell cmdlet for bitlcoker you could simply do something with those.
Enable-BitLocker -MountPoint Drive -EncryptionMethod Aes128 -Password $pass -PasswordProtector
The password as to be a secure string.
What you could do is have powershell random the password and have it uploaded somewhere for safe keeping until people are allowed to change it.
Hope this help you get started.
Note: I never did Bitlocker without a TPM so make sure you read and test
Thursday, November 19, 2015 9:09 PM ✅Answered
Remember that GPO does not apply during OSD, so whatever you do, you need to get it working with powershell or manage-bde commands. Problem is here, that OSD´s step "Enable Bitlocker" requires TPM or USB key, it doen´t understand new method since Windows 8.1 where you don´t need those anymore.
Thursday, June 16, 2016 12:50 PM | 2 votes
It seems to be right. But i get the error while running this cmdlet
Enable-BitLockerInternal : Value does not fall within the expected range.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3596 char:48
- ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Enable-BitLockerInternal
Monday, July 9, 2018 8:52 PM
Hate reviving old posts, but I am having the same issue and with all my troubleshooting cannot find a resolution. Keep receiving the error:
Value does not fall within the expected range.
+ CategoryInfo : NotSpecified: (:) [Write-Error], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Enable-BitLockerInternal
+ PSComputerName : <PcName>
Thursday, August 30, 2018 12:30 PM
I get the same error. It's working with Aes256 encryption method, but I want to use Aes128.
Friday, April 5, 2019 1:16 PM
It seems to be right. But i get the error while running this cmdlet
Enable-BitLockerInternal : Value does not fall within the expected range.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3596 char:48
- ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Enable-BitLockerInternal
For me this was an issue of choosing the incorrect encryption method. Check what method is chosen in the Group policy and adjust one of them accordingly.
The policy can be found under:
Administrative Templates->Windows Components->BitLocker Drive Encryption->Choose drive encryption method and cipher strength