Enable-SystemVolumeBitLocker.ps1

# Name: Enable-SystemVolumeBitLocker.ps1
# Author: James Schlackman
# Last Modified: August 19 2021

# Ensures the system drive is BitLocker encrypted with the recovery password backed
# up to Active Directory.

# Should be used in conjunction with GPOs set appropriately in
# Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption
# https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-group-policy-settings

$sysVolume = (Get-BitLockerVolume -MountPoint $env:SystemDrive)

$passProtectors = ($sysVolume.KeyProtector | Where-Object KeyProtectorType -eq RecoveryPassword)

# Add a new key protector to the drive if none already exists
If (![bool]$passProtectors) {
    $passProtectors = (Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector).KeyProtector
}

$result = $false
$passProtectors | ForEach-Object {
    # Attempt to backup each system drive recovery password key protector to AD
    $result = $result -or (Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId)
}


# If key protectors are backed up but BitLocker is not yet enabled, enable it now
If ($result -and ($sysVolume.ProtectionStatus -ne 'On'))
{
    # Enable BitLocker using TPM
    If ((Get-Tpm).TpmReady -ne $true) { Initialize-Tpm }
    Enable-BitLocker -MountPoint $env:SystemDrive -TpmProtector
    Resume-BitLocker -MountPoint $env:SystemDrive
}