Skip to content

Instantly share code, notes, and snippets.

@jesseloudon

jesseloudon/BitLocker-ActivateOnShutdown.ps1

Created January 7, 2020 02:05
Show Gist options
  • Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
Download ZIP
BitLocker Activation Script
Raw
BitLocker-ActivateOnShutdown.ps1
#Check BitLocker prerequisites
$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue
$BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue
#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and !$TPMNotEnabled)
{
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue
}
#Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required
if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive)
{
Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue
BdeHdCfg -target $env:SystemDrive shrink -quiet
}
#Step 3 - Check BitLocker AD Key backup Registry values exist and if not, create them.
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft'
if (Test-Path "$BitLockerRegLoc\FVE")
{
Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
}
else
{
New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD
}
#Step 4 - If all prerequisites are met, then enable BitLocker
if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted)
{
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector
Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -ErrorAction SilentlyContinue
}
#Step 5 - Backup BitLocker recovery passwords to AD
if ($BLVS)
{
ForEach ($BLV in $BLVS)
{
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}
ForEach ($obj in $key)
{
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
}
}
}
@wesley974
Copy link

Awesome!

@jesseloudon
Copy link
Author

Awesome!

Thank you! 👍

@wesley974
Copy link

Can you post here some screenshots about the GPO to apply ?
i put the script in the shutdown area (computer policy), but it doesn't apply.

Many thank's!

@jesseloudon
Copy link
Author

Can you post here some screenshots about the GPO to apply ?
i put the script in the shutdown area (computer policy), but it doesn't apply.

Many thank's!

Apologies but screenies aren't possible since this was done months ago -- check out my related blog post if you haven't already for some pointers https://jloudon.com/security/Zero-Touch-BitLocker-with-Powershell/

A few things to try:

  • Target the GPO to a single OU and make sure your test machines are in that OU
  • Ensure the computer objects have read access to the PS1 script called by the GPO

Good luck!

@jakouback
Copy link

Hello, do you know how to make encrypted all other drives (Microsoft called "Fixed drives") with script (silently)?

Thank you very much for your help.

@Carlosongit
Copy link

Thank you ! I came from your blog GG !

@Tomy389
Copy link

Tomy389 commented Jul 11, 2022

if you want to encrypt not only the systemdrive but all harddisks in the computer, it is advisable to mount the variable $BitLockerReadyDrive with the following command?
"Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume"

@jakouback
Copy link

if you want to encrypt not only the systemdrive but all harddisks in the computer, it is advisable to mount the variable $BitLockerReadyDrive with the following command? "Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume"

Hello, thank you for your reply. I tried that, but it didn´t work...

@Tomy389
Copy link

Tomy389 commented Sep 29, 2022
edited
Loading

Hello @jakouback,
since I have to do with it again on business, I was able to solve it as follows.

#Wenn ein Log erstellt werden soll folgenden Befehl verwenden
Start-Transcript -Path "C:\temp\transcript0.txt" -Force
#Check BitLocker prerequisites
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:' } -ErrorAction SilentlyContinue
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" } -ErrorAction SilentlyContinue
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'

#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
  Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue

  #Step 2 - Check BitLocker AD Key backup Registry values exist and if not, create them.
  if (Test-Path "$BitLockerRegLoc") {
    Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
  }
  elseif ($BitLockerReadyDriveSystem) {
    New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD
  }

  #Step 3 - If all prerequisites are met, then enable BitLocker on Systemdrive
  if ($BitLockerReadyDriveSystem) {
    Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
    Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue -SkipHardwareTest
    
    #Step 4 - If all prerequisites are met, then enable BitLocker on ReadyDrives
    $BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
    if ($BitLockerDecrypted -and $BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted") {
      foreach ($lw in $BitLockerDecrypted) {
        Enable-BitLocker -MountPoint $lw.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue
        Enable-BitLockerAutoUnlock -MountPoint $lw.mountpoint
      }
    }

    #Step 5 - Backup BitLocker recovery passwords to AD
    $BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
    if ($BLVS) {
      ForEach ($BLV in $BLVS) {
        $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
        ForEach ($obj in $key) { 
          Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
        }
      }
    }
  }
}
#Step 6 - Backup Bitlocker recovery password to \\serverXX\Bitlockerkeys
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
  ForEach ($BLK in $BLKS) {
    $txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
    ForEach ($txtobj in $txtKey) { 
      (Get-BitLockerVolume -MountPoint $BLK) | Select-Object -Property MountPoint -ExpandProperty KeyProtector | Format-List > \\serverXX\Bitlockerkeys\BitLocker_Recovery_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt
    }
  }
}

@hroberts65616
Copy link

If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?

@Tomy389
Copy link

Tomy389 commented Dec 8, 2022
edited
Loading

If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?

It depends on what you want to encrypt. I have now adjusted some things again.
I have adjusted it so far that now not like in the original script everything is encrypted (also usb-sticks, sd-cards etc) but only ssds and hdds. I could solve this with the command Get-WmiObject and query the two mediatypes 3 and 4.
You can skip step 2 completely because as you said it is only relevant for the active directory.
Step 4 (before step 5) actually only describes that you also want to encrypt other hard disks that are not system hard disks. (i.e. a second harddisk like d:)

The last step you don't really need because the key is finally stored in the AD.
But i can't tell you if it will work like you think without AD. I think for a home area manage-bde would probably be easier.

@kmosk1988
Copy link

kmosk1988 commented Feb 25, 2025
edited
Loading

I changed the script a little.

# Start logging
$computerName = $env:COMPUTERNAME
Start-Transcript -Path "\\share\log tmp$\temp\transcript_$computerName.txt" -Force


## Function to check if drives (including the system drive) are encrypted | Where-Object -Property MountPoint -notLike "c:*"
#function Check-IfDrivesEncrypted {
#    $drives = Get-BitLockerVolume -ErrorAction SilentlyContinue 
#    foreach ($drive in $drives) {
#        if ($drive.VolumeStatus -eq "FullyEncrypted") {
#            return $true
#        }
#    }
#    return $false
#}
#
## Check if drives are encrypted
#if (Check-IfDrivesEncrypted) {
#    Write-Output "One or more drives are already encrypted. The script is terminating."
#    Stop-Transcript
#    exit
#}
#Write-Output "Drives are not encrypted. Continuing script execution."

# Check prerequisites for BitLocker
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue

$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | 
Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } | 
Get-Disk | 
Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } | 
Get-Partition | `
Where-Object { $_.DriveLetter } | 
Select-Object -ExpandProperty DriveLetter | 
ForEach-Object {
    $driveLetter = "$($_):"
    $volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
   
    if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*" ) {
        Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue | 
        Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:'}
        #$driveLetter
    }
} 
#-ErrorAction SilentlyContinue

Write-Output "$BitLockerDecrypted"

# Check if drives are decrypted
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | 
    Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } | 
    Get-Disk | 
    Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } | 
    Get-Partition | 
    Where-Object { $_.DriveLetter } | 
    Select-Object -ExpandProperty DriveLetter | 
    ForEach-Object {
        $driveLetter = "$($_):"
        $volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
        if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*") {
            Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue | 
            Where-Object { $_.VolumeStatus -eq "FullyDecrypted" }
            $driveLetter
        }
    } 
    #-ErrorAction SilentlyContinue

 Write-Output "   $IsDecrypted"
Write-Output "# Step 1 - TPM check and initialization"
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
    Initialize-Tpm -AllowClear -AllowPhysicalPresence #-ErrorAction SilentlyContinue
   
   }
   
    Write-Output " # Step 3 - Enabling BitLocker on the system drive"
    if ($BitLockerReadyDriveSystem -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "FullyDecrypted")) {
        Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
        Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector #-ErrorAction SilentlyContinue -SkipHardwareTest
    
    }   


    Write-Output " # Step 3.5 - proverka"

while ($true) {
    # Poluchaem informatsiyu o statuse BitLocker
    

     $bitLockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue

    # Proveryaem, yavlyaetsya li status "FullyEncrypted"
    if ($bitLockerStatus.VolumeStatus -eq "FullyEncrypted") {
        Write-Host "Disk polnostyu zashifrovan. Prodolzhenie vypolneniya skripta..."
        break  #Vykhod iz tsikla, esli status "FullyEncrypted"
    } else {
        Write-Host "Disk ne polnostyu zashifrovan. Povtornaya proverka cherez 10 sekund..."
        Start-Sleep -Seconds 100  # Ozhidanie 100 sekund pered sleduyushchey proverkoy
    }
}

# Dalneyshiy kod skripta, kotoryy vypolnyaetsya posle uspeshnoy proverki
Write-Host "Prodolzhenie vypolneniya skripta..."

        start-sleep -Seconds 5
        Write-Output " Step 4 - Enabling BitLocker on other drives"
        #$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
if ($BitLockerDecrypted -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted")) {
            foreach ($lw in $BitLockerDecrypted.mountpoint) {
                
                
                Write-Output "Step 4 $lw"
               
                Enable-BitLocker -MountPoint $lw -RecoveryPasswordProtector # -ErrorAction SilentlyContinue
                Enable-BitLockerAutoUnlock -MountPoint $lw
            }
        }



        Write-Output " Step 5 - Backing up recovery keys to AD"
        $BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
        if ($BLVS) {
            ForEach ($BLV in $BLVS) {
                $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
                ForEach ($obj in $key) { 
                    Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
                    Write-Output "$BLV.MountPoint"
                    Write-Output "$Key"
                }
            }
        }
   # }
#}
Write-Output " Step 6 - Backing up recovery keys to the server"
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
    ForEach ($BLK in $BLKS) {
        $txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
        ForEach ($txtobj in $txtKey) { 
            $fileName = "\\SCCM01\log tmp$\BitLocker_Recovery_${computerName}_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt"
            if (-Not (Test-Path $fileName)) {
                (Get-BitLockerVolume -MountPoint $BLK.MountPoint) | 
                Select-Object -Property MountPoint -ExpandProperty KeyProtector | 
                Format-List > $fileName
            } else {
                Write-Output "File already exists: $fileName. Skipping write."
            }
        }
    }
}
# End logging
Stop-Transcript

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment