Created
January 7, 2020 02:05
-
-
Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
BitLocker Activation Script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Check BitLocker prerequisites | |
| $TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue | |
| $TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue | |
| $WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue | |
| $BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue | |
| $BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue | |
| $BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue | |
| #Step 1 - Check if TPM is enabled and initialise if required | |
| if ($WindowsVer -and !$TPMNotEnabled) | |
| { | |
| Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue | |
| } | |
| #Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required | |
| if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive) | |
| { | |
| Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue | |
| BdeHdCfg -target $env:SystemDrive shrink -quiet | |
| } | |
| #Step 3 - Check BitLocker AD Key backup Registry values exist and if not, create them. | |
| $BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft' | |
| if (Test-Path "$BitLockerRegLoc\FVE") | |
| { | |
| Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose | |
| } | |
| else | |
| { | |
| New-Item -Path "$BitLockerRegLoc" -Name 'FVE' | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
| New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD | |
| } | |
| #Step 4 - If all prerequisites are met, then enable BitLocker | |
| if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted) | |
| { | |
| Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector | |
| Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -ErrorAction SilentlyContinue | |
| } | |
| #Step 5 - Backup BitLocker recovery passwords to AD | |
| if ($BLVS) | |
| { | |
| ForEach ($BLV in $BLVS) | |
| { | |
| $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | |
| ForEach ($obj in $key) | |
| { | |
| Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId | |
| } | |
| } | |
| } |
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
It depends on what you want to encrypt. I have now adjusted some things again.
I have adjusted it so far that now not like in the original script everything is encrypted (also usb-sticks, sd-cards etc) but only ssds and hdds. I could solve this with the command Get-WmiObject and query the two mediatypes 3 and 4.
You can skip step 2 completely because as you said it is only relevant for the active directory.
Step 4 (before step 5) actually only describes that you also want to encrypt other hard disks that are not system hard disks. (i.e. a second harddisk like d:)
The last step you don't really need because the key is finally stored in the AD.
But i can't tell you if it will work like you think without AD. I think for a home area manage-bde would probably be easier.
I changed the script a little.
# Start logging
$computerName = $env:COMPUTERNAME
Start-Transcript -Path "\\share\log tmp$\temp\transcript_$computerName.txt" -Force
## Function to check if drives (including the system drive) are encrypted | Where-Object -Property MountPoint -notLike "c:*"
#function Check-IfDrivesEncrypted {
# $drives = Get-BitLockerVolume -ErrorAction SilentlyContinue
# foreach ($drive in $drives) {
# if ($drive.VolumeStatus -eq "FullyEncrypted") {
# return $true
# }
# }
# return $false
#}
#
## Check if drives are encrypted
#if (Check-IfDrivesEncrypted) {
# Write-Output "One or more drives are already encrypted. The script is terminating."
# Stop-Transcript
# exit
#}
#Write-Output "Drives are not encrypted. Continuing script execution."
# Check prerequisites for BitLocker
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage |
Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } |
Get-Disk |
Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } |
Get-Partition | `
Where-Object { $_.DriveLetter } |
Select-Object -ExpandProperty DriveLetter |
ForEach-Object {
$driveLetter = "$($_):"
$volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*" ) {
Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue |
Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:'}
#$driveLetter
}
}
#-ErrorAction SilentlyContinue
Write-Output "$BitLockerDecrypted"
# Check if drives are decrypted
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage |
Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } |
Get-Disk |
Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } |
Get-Partition |
Where-Object { $_.DriveLetter } |
Select-Object -ExpandProperty DriveLetter |
ForEach-Object {
$driveLetter = "$($_):"
$volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*") {
Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue |
Where-Object { $_.VolumeStatus -eq "FullyDecrypted" }
$driveLetter
}
}
#-ErrorAction SilentlyContinue
Write-Output " $IsDecrypted"
Write-Output "# Step 1 - TPM check and initialization"
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
Initialize-Tpm -AllowClear -AllowPhysicalPresence #-ErrorAction SilentlyContinue
}
Write-Output " # Step 3 - Enabling BitLocker on the system drive"
if ($BitLockerReadyDriveSystem -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "FullyDecrypted")) {
Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector #-ErrorAction SilentlyContinue -SkipHardwareTest
}
Write-Output " # Step 3.5 - proverka"
while ($true) {
# Poluchaem informatsiyu o statuse BitLocker
$bitLockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
# Proveryaem, yavlyaetsya li status "FullyEncrypted"
if ($bitLockerStatus.VolumeStatus -eq "FullyEncrypted") {
Write-Host "Disk polnostyu zashifrovan. Prodolzhenie vypolneniya skripta..."
break #Vykhod iz tsikla, esli status "FullyEncrypted"
} else {
Write-Host "Disk ne polnostyu zashifrovan. Povtornaya proverka cherez 10 sekund..."
Start-Sleep -Seconds 100 # Ozhidanie 100 sekund pered sleduyushchey proverkoy
}
}
# Dalneyshiy kod skripta, kotoryy vypolnyaetsya posle uspeshnoy proverki
Write-Host "Prodolzhenie vypolneniya skripta..."
start-sleep -Seconds 5
Write-Output " Step 4 - Enabling BitLocker on other drives"
#$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
if ($BitLockerDecrypted -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted")) {
foreach ($lw in $BitLockerDecrypted.mountpoint) {
Write-Output "Step 4 $lw"
Enable-BitLocker -MountPoint $lw -RecoveryPasswordProtector # -ErrorAction SilentlyContinue
Enable-BitLockerAutoUnlock -MountPoint $lw
}
}
Write-Output " Step 5 - Backing up recovery keys to AD"
$BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLVS) {
ForEach ($BLV in $BLVS) {
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($obj in $key) {
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
Write-Output "$BLV.MountPoint"
Write-Output "$Key"
}
}
}
# }
#}
Write-Output " Step 6 - Backing up recovery keys to the server"
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
ForEach ($BLK in $BLKS) {
$txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($txtobj in $txtKey) {
$fileName = "\\SCCM01\log tmp$\BitLocker_Recovery_${computerName}_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt"
if (-Not (Test-Path $fileName)) {
(Get-BitLockerVolume -MountPoint $BLK.MountPoint) |
Select-Object -Property MountPoint -ExpandProperty KeyProtector |
Format-List > $fileName
} else {
Write-Output "File already exists: $fileName. Skipping write."
}
}
}
}
# End logging
Stop-Transcript
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello @jakouback,
since I have to do with it again on business, I was able to solve it as follows.