Skip to content

Instantly share code, notes, and snippets.

Created January 7, 2020 02:05
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
BitLocker Activation Script
#Check BitLocker prerequisites
$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue
$BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue
#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and !$TPMNotEnabled)
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue
#Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required
if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive)
Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue
BdeHdCfg -target $env:SystemDrive shrink -quiet
#Step 3 - Check BitLocker AD Key backup Registry values exist and if not, create them.
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft'
if (Test-Path "$BitLockerRegLoc\FVE")
Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD
#Step 4 - If all prerequisites are met, then enable BitLocker
if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted)
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector
Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -ErrorAction SilentlyContinue
#Step 5 - Backup BitLocker recovery passwords to AD
if ($BLVS)
ForEach ($BLV in $BLVS)
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}
ForEach ($obj in $key)
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
Copy link

Hello, do you know how to make encrypted all other drives (Microsoft called "Fixed drives") with script (silently)?

Thank you very much for your help.

Copy link

Thank you ! I came from your blog GG !

Copy link

Tomy389 commented Jul 11, 2022

if you want to encrypt not only the systemdrive but all harddisks in the computer, it is advisable to mount the variable $BitLockerReadyDrive with the following command?
"Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume"

Copy link

if you want to encrypt not only the systemdrive but all harddisks in the computer, it is advisable to mount the variable $BitLockerReadyDrive with the following command? "Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume"

Hello, thank you for your reply. I tried that, but it didn´t work...

Copy link

Tomy389 commented Sep 29, 2022

Hello @jakouback,
since I have to do with it again on business, I was able to solve it as follows.

#Wenn ein Log erstellt werden soll folgenden Befehl verwenden
Start-Transcript -Path "C:\temp\transcript0.txt" -Force
#Check BitLocker prerequisites
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:' } -ErrorAction SilentlyContinue
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" } -ErrorAction SilentlyContinue
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'

#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
  Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue

  #Step 2 - Check BitLocker AD Key backup Registry values exist and if not, create them.
  if (Test-Path "$BitLockerRegLoc") {
    Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
  elseif ($BitLockerReadyDriveSystem) {
    New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
    New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD

  #Step 3 - If all prerequisites are met, then enable BitLocker on Systemdrive
  if ($BitLockerReadyDriveSystem) {
    Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
    Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue -SkipHardwareTest
    #Step 4 - If all prerequisites are met, then enable BitLocker on ReadyDrives
    $BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
    if ($BitLockerDecrypted -and $BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted") {
      foreach ($lw in $BitLockerDecrypted) {
        Enable-BitLocker -MountPoint $lw.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue
        Enable-BitLockerAutoUnlock -MountPoint $lw.mountpoint

    #Step 5 - Backup BitLocker recovery passwords to AD
    $BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
    if ($BLVS) {
      ForEach ($BLV in $BLVS) {
        $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
        ForEach ($obj in $key) { 
          Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
#Step 6 - Backup Bitlocker recovery password to \\serverXX\Bitlockerkeys
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
  ForEach ($BLK in $BLKS) {
    $txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
    ForEach ($txtobj in $txtKey) { 
      (Get-BitLockerVolume -MountPoint $BLK) | Select-Object -Property MountPoint -ExpandProperty KeyProtector | Format-List > \\serverXX\Bitlockerkeys\BitLocker_Recovery_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt

Copy link

If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?

Copy link

Tomy389 commented Dec 8, 2022

If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?

It depends on what you want to encrypt. I have now adjusted some things again.
I have adjusted it so far that now not like in the original script everything is encrypted (also usb-sticks, sd-cards etc) but only ssds and hdds. I could solve this with the command Get-WmiObject and query the two mediatypes 3 and 4.
You can skip step 2 completely because as you said it is only relevant for the active directory.
Step 4 (before step 5) actually only describes that you also want to encrypt other hard disks that are not system hard disks. (i.e. a second harddisk like d:)

The last step you don't really need because the key is finally stored in the AD.
But i can't tell you if it will work like you think without AD. I think for a home area manage-bde would probably be easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment