question

JeffChambers-5748 avatar image
0 Votes"
JeffChambers-5748 asked MTG-3890 commented

can't encrypt drive the drive access is denied

This is about BITLOCKER

I have a Dell 5420 that I created an image for and all is working fine after imaging the laptop to windows 10 pro.
The only issue I am having is trying to run bitlocker on the drive when the user is logged into the domain joined machine.
I can run bitlocker with local admin account or I know I can run bitlocker if I add the user to the administrators group for the local machine.

I DO NOT want to have to add the user to the local admin group just to get bitlocker to work.
Also, when you turn on bitlocker through control panel it will ask you where you want to save the password.
I am wanting it to ask to save it to AD DS that way it will be save to their account. SO, like I said IF I login locally to the machine I will be able to run bitlocker.

However, that's not what I want I am hoping to achieve this without setting up the user as a local administrator and be able to run bitlocker.
I want to be able to login as the user on the domain and be able to startup bitlocker. I am not sure why this can't happen.

Is it possible that the server needs to see the machine joined to the domain before it will ask where to save the password? OR should it not matter?

I have tried many things to get this to work and so far anything I have tried just doesn't seem to work.
Things I have tried:
manage-bde -on C: have to be administrator was logged in as local user
looked in the registry no changes needed
in BIOS moved boot order to make the hard drive as the first boot up drive. no changes
went into services to turn on bitlocker. no changes
Before I imaged the laptop I went into BIOS disabled Secure boot and TPM. Start up laptop went back into BIOS enabled secure boot and TPM. still no changes

I am just not sure what else to do from here I pretty much have ran out of options.

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MTG-3890 avatar image
0 Votes"
MTG-3890 answered MTG-3890 edited

Hi Jeff.

Bitlocking partitions of fixed/OS-drives has always been admin-only as it's a system wide change. This is nothing you can change.
Bitlocking removable media like USB sticks is possible as user since that is not considered to be a system wide change.

If you are mass deploying bitlocker and you want it to be hands-free (no manual admin intervention), you would use either MBAM or scripting.
If you want the key to go into the AD computer account object (no, it never gets saved to user account objects), you just have to execute the right command as the right user. Local admins (non-domain admins) have no permission to write to the AD computer account unless they impersonate the system account using (for example) psexec -s -i cmd, first.

Please indicate whether these clarifications help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffChambers-5748 avatar image
0 Votes"
JeffChambers-5748 answered MTG-3890 commented

I appreciate the answer I believe you have directed me in the right direction. I am going to look into MBAM or perhaps a few scripts.

Basically what I am trying to get at is when we login the user that the laptop is going to be setup for, I want to have the ability to click
on Bitlocker and it starts up with no issues. I just can't figure out why I am having such a hard time, but as mentioned I will try what you have
suggested.
I will let you know if I have any progress.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Since MBAM might not be available to you, let me link my article with scripts provided:
https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html?preview=hG26jVC1xow%3D

0 Votes 0 ·