Last active
August 19, 2021 21:02
-
-
Save jschlackman/3e0380c709625d882e9bb7c82fd45df7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Name: Enable-SystemVolumeBitLocker.ps1 | |
# Author: James Schlackman | |
# Last Modified: August 19 2021 | |
# Ensures the system drive is BitLocker encrypted with the recovery password backed | |
# up to Active Directory. | |
# Should be used in conjunction with GPOs set appropriately in | |
# Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption | |
# https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-group-policy-settings | |
$sysVolume = (Get-BitLockerVolume -MountPoint $env:SystemDrive) | |
$passProtectors = ($sysVolume.KeyProtector | Where-Object KeyProtectorType -eq RecoveryPassword) | |
# Add a new key protector to the drive if none already exists | |
If (![bool]$passProtectors) { | |
$passProtectors = (Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector).KeyProtector | |
} | |
$result = $false | |
$passProtectors | ForEach-Object { | |
# Attempt to backup each system drive recovery password key protector to AD | |
$result = $result -or (Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $_.KeyProtectorId) | |
} | |
# If key protectors are backed up but BitLocker is not yet enabled, enable it now | |
If ($result -and ($sysVolume.ProtectionStatus -ne 'On')) | |
{ | |
# Enable BitLocker using TPM | |
If ((Get-Tpm).TpmReady -ne $true) { Initialize-Tpm } | |
Enable-BitLocker -MountPoint $env:SystemDrive -TpmProtector | |
Resume-BitLocker -MountPoint $env:SystemDrive | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment