Skip to content

Instantly share code, notes, and snippets.

@jesseloudon

jesseloudon/BitLocker-ActivateOnShutdown.ps1

Created January 7, 2020 02:05
Show Gist options
  • Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
Download ZIP
BitLocker Activation Script
Raw
BitLocker-ActivateOnShutdown.ps1
#Check BitLocker prerequisites
$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue
$BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue
#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and !$TPMNotEnabled)
{
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue
}
#Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required
if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive)
{
Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue
BdeHdCfg -target $env:SystemDrive shrink -quiet
}
#Step 3 - Check BitLocker AD Key backup Registry values exist and if not, create them.
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft'
if (Test-Path "$BitLockerRegLoc\FVE")
{
Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
}
else
{
New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD
}
#Step 4 - If all prerequisites are met, then enable BitLocker
if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted)
{
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector
Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -ErrorAction SilentlyContinue
}
#Step 5 - Backup BitLocker recovery passwords to AD
if ($BLVS)
{
ForEach ($BLV in $BLVS)
{
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}
ForEach ($obj in $key)
{
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
}
}
}
@Tomy389
Copy link

Tomy389 commented Dec 8, 2022
edited
Loading

If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?

It depends on what you want to encrypt. I have now adjusted some things again.
I have adjusted it so far that now not like in the original script everything is encrypted (also usb-sticks, sd-cards etc) but only ssds and hdds. I could solve this with the command Get-WmiObject and query the two mediatypes 3 and 4.
You can skip step 2 completely because as you said it is only relevant for the active directory.
Step 4 (before step 5) actually only describes that you also want to encrypt other hard disks that are not system hard disks. (i.e. a second harddisk like d:)

The last step you don't really need because the key is finally stored in the AD.
But i can't tell you if it will work like you think without AD. I think for a home area manage-bde would probably be easier.

@kmosk1988
Copy link

kmosk1988 commented Feb 25, 2025
edited
Loading

I changed the script a little.

# Start logging
$computerName = $env:COMPUTERNAME
Start-Transcript -Path "\\share\log tmp$\temp\transcript_$computerName.txt" -Force


## Function to check if drives (including the system drive) are encrypted | Where-Object -Property MountPoint -notLike "c:*"
#function Check-IfDrivesEncrypted {
#    $drives = Get-BitLockerVolume -ErrorAction SilentlyContinue 
#    foreach ($drive in $drives) {
#        if ($drive.VolumeStatus -eq "FullyEncrypted") {
#            return $true
#        }
#    }
#    return $false
#}
#
## Check if drives are encrypted
#if (Check-IfDrivesEncrypted) {
#    Write-Output "One or more drives are already encrypted. The script is terminating."
#    Stop-Transcript
#    exit
#}
#Write-Output "Drives are not encrypted. Continuing script execution."

# Check prerequisites for BitLocker
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue

$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | 
Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } | 
Get-Disk | 
Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } | 
Get-Partition | `
Where-Object { $_.DriveLetter } | 
Select-Object -ExpandProperty DriveLetter | 
ForEach-Object {
    $driveLetter = "$($_):"
    $volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
   
    if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*" ) {
        Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue | 
        Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:'}
        #$driveLetter
    }
} 
#-ErrorAction SilentlyContinue

Write-Output "$BitLockerDecrypted"

# Check if drives are decrypted
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | 
    Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } | 
    Get-Disk | 
    Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } | 
    Get-Partition | 
    Where-Object { $_.DriveLetter } | 
    Select-Object -ExpandProperty DriveLetter | 
    ForEach-Object {
        $driveLetter = "$($_):"
        $volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
        if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*") {
            Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue | 
            Where-Object { $_.VolumeStatus -eq "FullyDecrypted" }
            $driveLetter
        }
    } 
    #-ErrorAction SilentlyContinue

 Write-Output "   $IsDecrypted"
Write-Output "# Step 1 - TPM check and initialization"
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
    Initialize-Tpm -AllowClear -AllowPhysicalPresence #-ErrorAction SilentlyContinue
   
   }
   
    Write-Output " # Step 3 - Enabling BitLocker on the system drive"
    if ($BitLockerReadyDriveSystem -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "FullyDecrypted")) {
        Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
        Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector #-ErrorAction SilentlyContinue -SkipHardwareTest
    
    }   


    Write-Output " # Step 3.5 - proverka"

while ($true) {
    # Poluchaem informatsiyu o statuse BitLocker
    

     $bitLockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue

    # Proveryaem, yavlyaetsya li status "FullyEncrypted"
    if ($bitLockerStatus.VolumeStatus -eq "FullyEncrypted") {
        Write-Host "Disk polnostyu zashifrovan. Prodolzhenie vypolneniya skripta..."
        break  #Vykhod iz tsikla, esli status "FullyEncrypted"
    } else {
        Write-Host "Disk ne polnostyu zashifrovan. Povtornaya proverka cherez 10 sekund..."
        Start-Sleep -Seconds 100  # Ozhidanie 100 sekund pered sleduyushchey proverkoy
    }
}

# Dalneyshiy kod skripta, kotoryy vypolnyaetsya posle uspeshnoy proverki
Write-Host "Prodolzhenie vypolneniya skripta..."

        start-sleep -Seconds 5
        Write-Output " Step 4 - Enabling BitLocker on other drives"
        #$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
if ($BitLockerDecrypted -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted")) {
            foreach ($lw in $BitLockerDecrypted.mountpoint) {
                
                
                Write-Output "Step 4 $lw"
               
                Enable-BitLocker -MountPoint $lw -RecoveryPasswordProtector # -ErrorAction SilentlyContinue
                Enable-BitLockerAutoUnlock -MountPoint $lw
            }
        }



        Write-Output " Step 5 - Backing up recovery keys to AD"
        $BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
        if ($BLVS) {
            ForEach ($BLV in $BLVS) {
                $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
                ForEach ($obj in $key) { 
                    Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
                    Write-Output "$BLV.MountPoint"
                    Write-Output "$Key"
                }
            }
        }
   # }
#}
Write-Output " Step 6 - Backing up recovery keys to the server"
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
    ForEach ($BLK in $BLKS) {
        $txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
        ForEach ($txtobj in $txtKey) { 
            $fileName = "\\SCCM01\log tmp$\BitLocker_Recovery_${computerName}_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt"
            if (-Not (Test-Path $fileName)) {
                (Get-BitLockerVolume -MountPoint $BLK.MountPoint) | 
                Select-Object -Property MountPoint -ExpandProperty KeyProtector | 
                Format-List > $fileName
            } else {
                Write-Output "File already exists: $fileName. Skipping write."
            }
        }
    }
}
# End logging
Stop-Transcript

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment