Created
January 7, 2020 02:05
-
-
Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
BitLocker Activation Script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Check BitLocker prerequisites | |
| $TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue | |
| $TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue | |
| $WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue | |
| $BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue | |
| $BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue | |
| $BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue | |
| #Step 1 - Check if TPM is enabled and initialise if required | |
| if ($WindowsVer -and !$TPMNotEnabled) | |
| { | |
| Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue | |
| } | |
| #Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required | |
| if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive) | |
| { | |
| Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue | |
| BdeHdCfg -target $env:SystemDrive shrink -quiet | |
| } | |
| #Step 3 - Check BitLocker AD Key backup Registry values exist and if not, create them. | |
| $BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft' | |
| if (Test-Path "$BitLockerRegLoc\FVE") | |
| { | |
| Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose | |
| } | |
| else | |
| { | |
| New-Item -Path "$BitLockerRegLoc" -Name 'FVE' | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD | |
| } | |
| #Step 4 - If all prerequisites are met, then enable BitLocker | |
| if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted) | |
| { | |
| Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector | |
| Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -ErrorAction SilentlyContinue | |
| } | |
| #Step 5 - Backup BitLocker recovery passwords to AD | |
| if ($BLVS) | |
| { | |
| ForEach ($BLV in $BLVS) | |
| { | |
| $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | |
| ForEach ($obj in $key) | |
| { | |
| Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId | |
| } | |
| } | |
| } |
Author
Awesome!
Thank you! 👍
Can you post here some screenshots about the GPO to apply ?
i put the script in the shutdown area (computer policy), but it doesn't apply.
Many thank's!
Author
Can you post here some screenshots about the GPO to apply ?
i put the script in the shutdown area (computer policy), but it doesn't apply.Many thank's!
Apologies but screenies aren't possible since this was done months ago -- check out my related blog post if you haven't already for some pointers https://jloudon.com/security/Zero-Touch-BitLocker-with-Powershell/
A few things to try:
- Target the GPO to a single OU and make sure your test machines are in that OU
- Ensure the computer objects have read access to the PS1 script called by the GPO
Good luck!
Hello, do you know how to make encrypted all other drives (Microsoft called "Fixed drives") with script (silently)?
Thank you very much for your help.
Thank you ! I came from your blog GG !
if you want to encrypt not only the systemdrive but all harddisks in the computer, it is advisable to mount the variable $BitLockerReadyDrive with the following command?
"Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume"
if you want to encrypt not only the systemdrive but all harddisks in the computer, it is advisable to mount the variable
$BitLockerReadyDrivewith the following command?"Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume"
Hello, thank you for your reply. I tried that, but it didn´t work...
Hello @jakouback,
since I have to do with it again on business, I was able to solve it as follows.
#Wenn ein Log erstellt werden soll folgenden Befehl verwenden
Start-Transcript -Path "C:\temp\transcript0.txt" -Force
#Check BitLocker prerequisites
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:' } -ErrorAction SilentlyContinue
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" } -ErrorAction SilentlyContinue
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'
#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue
#Step 2 - Check BitLocker AD Key backup Registry values exist and if not, create them.
if (Test-Path "$BitLockerRegLoc") {
Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
}
elseif ($BitLockerReadyDriveSystem) {
New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD
}
#Step 3 - If all prerequisites are met, then enable BitLocker on Systemdrive
if ($BitLockerReadyDriveSystem) {
Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue -SkipHardwareTest
#Step 4 - If all prerequisites are met, then enable BitLocker on ReadyDrives
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
if ($BitLockerDecrypted -and $BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted") {
foreach ($lw in $BitLockerDecrypted) {
Enable-BitLocker -MountPoint $lw.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue
Enable-BitLockerAutoUnlock -MountPoint $lw.mountpoint
}
}
#Step 5 - Backup BitLocker recovery passwords to AD
$BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLVS) {
ForEach ($BLV in $BLVS) {
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($obj in $key) {
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
}
}
}
}
}
#Step 6 - Backup Bitlocker recovery password to \\serverXX\Bitlockerkeys
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
ForEach ($BLK in $BLKS) {
$txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($txtobj in $txtKey) {
(Get-BitLockerVolume -MountPoint $BLK) | Select-Object -Property MountPoint -ExpandProperty KeyProtector | Format-List > \\serverXX\Bitlockerkeys\BitLocker_Recovery_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt
}
}
}
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
It depends on what you want to encrypt. I have now adjusted some things again.
I have adjusted it so far that now not like in the original script everything is encrypted (also usb-sticks, sd-cards etc) but only ssds and hdds. I could solve this with the command Get-WmiObject and query the two mediatypes 3 and 4.
You can skip step 2 completely because as you said it is only relevant for the active directory.
Step 4 (before step 5) actually only describes that you also want to encrypt other hard disks that are not system hard disks. (i.e. a second harddisk like d:)
The last step you don't really need because the key is finally stored in the AD.
But i can't tell you if it will work like you think without AD. I think for a home area manage-bde would probably be easier.
I changed the script a little.
# Start logging
$computerName = $env:COMPUTERNAME
Start-Transcript -Path "\\share\log tmp$\temp\transcript_$computerName.txt" -Force
## Function to check if drives (including the system drive) are encrypted | Where-Object -Property MountPoint -notLike "c:*"
#function Check-IfDrivesEncrypted {
# $drives = Get-BitLockerVolume -ErrorAction SilentlyContinue
# foreach ($drive in $drives) {
# if ($drive.VolumeStatus -eq "FullyEncrypted") {
# return $true
# }
# }
# return $false
#}
#
## Check if drives are encrypted
#if (Check-IfDrivesEncrypted) {
# Write-Output "One or more drives are already encrypted. The script is terminating."
# Stop-Transcript
# exit
#}
#Write-Output "Drives are not encrypted. Continuing script execution."
# Check prerequisites for BitLocker
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage |
Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } |
Get-Disk |
Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } |
Get-Partition | `
Where-Object { $_.DriveLetter } |
Select-Object -ExpandProperty DriveLetter |
ForEach-Object {
$driveLetter = "$($_):"
$volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*" ) {
Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue |
Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:'}
#$driveLetter
}
}
#-ErrorAction SilentlyContinue
Write-Output "$BitLockerDecrypted"
# Check if drives are decrypted
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage |
Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } |
Get-Disk |
Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } |
Get-Partition |
Where-Object { $_.DriveLetter } |
Select-Object -ExpandProperty DriveLetter |
ForEach-Object {
$driveLetter = "$($_):"
$volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*") {
Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue |
Where-Object { $_.VolumeStatus -eq "FullyDecrypted" }
$driveLetter
}
}
#-ErrorAction SilentlyContinue
Write-Output " $IsDecrypted"
Write-Output "# Step 1 - TPM check and initialization"
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
Initialize-Tpm -AllowClear -AllowPhysicalPresence #-ErrorAction SilentlyContinue
}
Write-Output " # Step 3 - Enabling BitLocker on the system drive"
if ($BitLockerReadyDriveSystem -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "FullyDecrypted")) {
Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector #-ErrorAction SilentlyContinue -SkipHardwareTest
}
Write-Output " # Step 3.5 - proverka"
while ($true) {
# Poluchaem informatsiyu o statuse BitLocker
$bitLockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
# Proveryaem, yavlyaetsya li status "FullyEncrypted"
if ($bitLockerStatus.VolumeStatus -eq "FullyEncrypted") {
Write-Host "Disk polnostyu zashifrovan. Prodolzhenie vypolneniya skripta..."
break #Vykhod iz tsikla, esli status "FullyEncrypted"
} else {
Write-Host "Disk ne polnostyu zashifrovan. Povtornaya proverka cherez 10 sekund..."
Start-Sleep -Seconds 100 # Ozhidanie 100 sekund pered sleduyushchey proverkoy
}
}
# Dalneyshiy kod skripta, kotoryy vypolnyaetsya posle uspeshnoy proverki
Write-Host "Prodolzhenie vypolneniya skripta..."
start-sleep -Seconds 5
Write-Output " Step 4 - Enabling BitLocker on other drives"
#$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
if ($BitLockerDecrypted -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted")) {
foreach ($lw in $BitLockerDecrypted.mountpoint) {
Write-Output "Step 4 $lw"
Enable-BitLocker -MountPoint $lw -RecoveryPasswordProtector # -ErrorAction SilentlyContinue
Enable-BitLockerAutoUnlock -MountPoint $lw
}
}
Write-Output " Step 5 - Backing up recovery keys to AD"
$BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLVS) {
ForEach ($BLV in $BLVS) {
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($obj in $key) {
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
Write-Output "$BLV.MountPoint"
Write-Output "$Key"
}
}
}
# }
#}
Write-Output " Step 6 - Backing up recovery keys to the server"
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
ForEach ($BLK in $BLKS) {
$txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($txtobj in $txtKey) {
$fileName = "\\SCCM01\log tmp$\BitLocker_Recovery_${computerName}_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt"
if (-Not (Test-Path $fileName)) {
(Get-BitLockerVolume -MountPoint $BLK.MountPoint) |
Select-Object -Property MountPoint -ExpandProperty KeyProtector |
Format-List > $fileName
} else {
Write-Output "File already exists: $fileName. Skipping write."
}
}
}
}
# End logging
Stop-Transcript
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Awesome!