I'm curious if anyone has a solid method for enabling BitLocker and saving the recovery keys in Active Directory strictly through a Group Policy Object (GPO) instead of using Intune. I'm currently testing this with a GPO that runs a PowerShell script at startup, which is supposed to store the details in AD. However, I'm only getting it to the stage where it says 'BitLocker waiting for activation.' Here's the script I'm using:
```powershell
$logPath = "C:BitLocker-Startup-Log.txt"
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Add-Content -Path $logPath -Value "$timestamp - Script started."
$BLV = Get-BitLockerVolume -MountPoint "C:"
if ($BLV.VolumeStatus -eq "FullyDecrypted") {
Add-Content -Path $logPath -Value "$timestamp - BitLocker not enabled. Enabling now..."
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
Add-Content -Path $logPath -Value "$timestamp - BitLocker encryption started."
} else {
Add-Content -Path $logPath -Value "$timestamp - BitLocker already enabled."
}
```
Any advice or tips would be greatly appreciated!
2 Answers
Hey, you don't need to reinvent the wheel here! There are pre-existing GPO settings for BitLocker to help store the recovery keys in Active Directory without the need to use scripts. Just check out the built-in BitLocker management settings in GPOs.
Are you trying to accomplish something specific that the GPOs won't help with? Because BitLocker already has GPO options built-in for enabling it. It might simplify things if you use those.
No special case, just want it enabled and keys saved in AD. I'd prefer it only activates if there's a change detected—don't want it popping up at every reboot (which is rare around here, lol). But I read that GPO doesn’t enable it automatically.