-
-
Save jesseloudon/7f7482916c2c4c993948c2157a537045 to your computer and use it in GitHub Desktop.
#Check BitLocker prerequisites | |
$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue | |
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue | |
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue | |
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue | |
$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue | |
$BLVS = Get-BitLockerVolume | Where-Object {$_.KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'}} -ErrorAction SilentlyContinue | |
#Step 1 - Check if TPM is enabled and initialise if required | |
if ($WindowsVer -and !$TPMNotEnabled) | |
{ | |
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue | |
} | |
#Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required | |
if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive) | |
{ | |
Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue | |
BdeHdCfg -target $env:SystemDrive shrink -quiet | |
} | |
#Step 3 - Check BitLocker AD Key backup Registry values exist and if not, create them. | |
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft' | |
if (Test-Path "$BitLockerRegLoc\FVE") | |
{ | |
Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose | |
} | |
else | |
{ | |
New-Item -Path "$BitLockerRegLoc" -Name 'FVE' | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodNoDiffuser' -Value '00000003' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsOs' -Value '00000006' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsFdv' -Value '00000006' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethodWithXtsRdv' -Value '00000003' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'EncryptionMethod' -Value '00000003' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000000' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecoveryKey' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSAllowSecureBootForIntegrity' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSEncryptionType' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVHideRecoveryPage' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD | |
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVEncryptionType' -Value '00000001' -PropertyType DWORD | |
} | |
#Step 4 - If all prerequisites are met, then enable BitLocker | |
if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted) | |
{ | |
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector | |
Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector -ErrorAction SilentlyContinue | |
} | |
#Step 5 - Backup BitLocker recovery passwords to AD | |
if ($BLVS) | |
{ | |
ForEach ($BLV in $BLVS) | |
{ | |
$Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | |
ForEach ($obj in $key) | |
{ | |
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId | |
} | |
} | |
} |
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
If I am reading this right. It looks to me that If I am not using AD, I can use all of it except parts 3 and 5. Does that make since to you?
It depends on what you want to encrypt. I have now adjusted some things again.
I have adjusted it so far that now not like in the original script everything is encrypted (also usb-sticks, sd-cards etc) but only ssds and hdds. I could solve this with the command Get-WmiObject and query the two mediatypes 3 and 4.
You can skip step 2 completely because as you said it is only relevant for the active directory.
Step 4 (before step 5) actually only describes that you also want to encrypt other hard disks that are not system hard disks. (i.e. a second harddisk like d:)
The last step you don't really need because the key is finally stored in the AD.
But i can't tell you if it will work like you think without AD. I think for a home area manage-bde would probably be easier.
Hello @jakouback,
since I have to do with it again on business, I was able to solve it as follows.