-
-
Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
#Check BitLocker prerequisites | |
$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue | |
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue | |
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue | |
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue | |
$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue | |
$BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue | |
#Step 1 - Check if TPM is enabled and initialise if required | |
if ($WindowsVer -and !$TPMNotEnabled) | |
{ | |
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue | |
} | |
#Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required | |
if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive) | |
{ | |
Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue | |
BdeHdCfg -target $env:SystemDrive shrink -quiet | |
} | |
#Step 3 - Check BitLocker AD Key backup Registry values exist and if not, create them. | |
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft' | |
if (Test-Path "$BitLockerRegLoc\FVE") | |
{ | |
Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose | |
} | |
else | |
{ | |
New-Item -Path "$BitLockerRegLoc" -Name 'FVE' | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD | |
} | |
#Step 4 - If all prerequisites are met, then enable BitLocker | |
if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted) | |
{ | |
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector | |
Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -ErrorAction SilentlyContinue | |
} | |
#Step 5 - Backup BitLocker recovery passwords to AD | |
if ($BLVS) | |
{ | |
ForEach ($BLV in $BLVS) | |
{ | |
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | |
ForEach ($obj in $key) | |
{ | |
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId | |
} | |
} | |
} |
Hello @jakouback,
since I have to do with it again on business, I was able to solve it as follows.
#Wenn ein Log erstellt werden soll folgenden Befehl verwenden
Start-Transcript -Path "C:\temp\transcript0.txt" -Force
#Check BitLocker prerequisites
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:' } -ErrorAction SilentlyContinue
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | Where-Object { $_.mediatype -eq 3 -or $_.mediatype -eq 4 } | Get-Disk | Where-Object { $_.bustype -ne 'USB' -or $_.bustype -ne 'SD' } | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Where-Object { $_.VolumeStatus -eq "FullyDecrypted" } -ErrorAction SilentlyContinue
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'
#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue
#Step 2 - Check BitLocker AD Key backup Registry values exist and if not, create them.
if (Test-Path "$BitLockerRegLoc") {
Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
}
elseif ($BitLockerReadyDriveSystem) {
New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD
}
#Step 3 - If all prerequisites are met, then enable BitLocker on Systemdrive
if ($BitLockerReadyDriveSystem) {
Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue -SkipHardwareTest
#Step 4 - If all prerequisites are met, then enable BitLocker on ReadyDrives
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
if ($BitLockerDecrypted -and $BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted") {
foreach ($lw in $BitLockerDecrypted) {
Enable-BitLocker -MountPoint $lw.mountpoint -RecoveryPasswordProtector -ErrorAction SilentlyContinue
Enable-BitLockerAutoUnlock -MountPoint $lw.mountpoint
}
}
#Step 5 - Backup BitLocker recovery passwords to AD
$BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLVS) {
ForEach ($BLV in $BLVS) {
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($obj in $key) {
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
}
}
}
}
}
#Step 6 - Backup Bitlocker recovery password to \\serverXX\Bitlockerkeys
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
ForEach ($BLK in $BLKS) {
$txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
ForEach ($txtobj in $txtKey) {
(Get-BitLockerVolume -MountPoint $BLK) | Select-Object -Property MountPoint -ExpandProperty KeyProtector | Format-List > \\serverXX\Bitlockerkeys\BitLocker_Recovery_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt
}
}
}
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
It depends on what you want to encrypt. I have now adjusted some things again.
I have adjusted it so far that now not like in the original script everything is encrypted (also usb-sticks, sd-cards etc) but only ssds and hdds. I could solve this with the command Get-WmiObject and query the two mediatypes 3 and 4.
You can skip step 2 completely because as you said it is only relevant for the active directory.
Step 4 (before step 5) actually only describes that you also want to encrypt other hard disks that are not system hard disks. (i.e. a second harddisk like d:)
The last step you don't really need because the key is finally stored in the AD.
But i can't tell you if it will work like you think without AD. I think for a home area manage-bde would probably be easier.
Hello, thank you for your reply. I tried that, but it didn´t work...