1

I have an issue that google has not yet given me a clear answer. our team sets up a range of laptops for staff to use and I have been working on a PowerShell script that will make our life easier. currently the script setups user accounts and installs the standard apps that they would use (Chrome, office, 7zip).

One task I have been looking at for the last few months is to turn on BitLocker. This is required by our IT policy and is needed on all devices that are removable from the site. We need to the script to do the following

  • encrypt the C: drive.
  • use the TPM chip and auto unlock windows.
  • save a recovery key to a removable drive.
  • we cant use AD or Group policy

I have tried a few different scripts and methods however the top contenders are:

Enable-BitLocker -EncryptionMethod Aes128 -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryKeyPath $RecoveryFolder -RecoveryKeyProtector

This appears to work however it saves the recovery key as a .BEK file.

I tried this one however this didn’t give me anything.

Enable-BitLocker -EncryptionMethod Aes128 -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryKeyPath $RecoveryFolder -RecoveryKeyProtector -RecoveryPassword -RecoveryPasswordProtector

I also tried using Manage-bde with the following:

manage-bde -on C: -recoverykey $RecoveryFolder -recoverypassword -UsedSpaceOnly

This gave me a .BEK file.

Ideally I would like a file that has the following content however if I just get the ID number and the Key then I could make the file up with this data though the script.


BitLocker Drive Encryption recovery key�

To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.

Identifier:

    00000000-0000-0000-0000-000000000000

If the above identifier matches the one displayed by your PC then use the following key to unlock your drive.

Recovery Key:

    000000-000000-000000-000000-000000-000000-000000-000000

If the above identifier doesn't match the one displayed by your PC then this isn't the right key to unlock your drive.
Try another recovery key or refer to https://go.microsoft.com/fwlink/?LinkID=260589 for additional assistance.

1 Answer 1

1

This is an awfully big ask, and there's very little code that you provide. Nevertheless, here's what I use, and the biggest difference is that I am not saving the Recovery Password to a removable drive only because I do use Active Directory. However, adding that feature to this script should not be terribly difficult once you're familiar with the Bitlocker objects and commands.

#Requires -Version 5.1
#Requires -RunAsAdministrator
#====================================Debug=====================================
# Do not change this line... it's helpful for debugging
Set-PSDebug -Strict
# Ensure that all references to uninitialized variables generate an error
Set-StrictMode –Version Latest
#====================================Script====================================
# Check if BitLocker is enabled
if (!(Test-Path -Path "$($env:SystemDrive)\Temp")) { New-Item -ItemType Directory -Path "$($env:SystemDrive)\" -Name "Temp" > $null }

# Check if TPM chip is enabled
$TPMEnabled=Get-WmiObject -Namespace "root\cimv2\security\MicrosoftTPM" -Class "Win32_TPM"

if ($TPMEnabled.IsEnabled_InitialValue) {
  Write-Information "TPM Enabled"
  $Volume=Get-BitLockerVolume -MountPoint $env:SystemDrive
  if ($Volume.VolumeStatus -ne [Microsoft.BitLocker.Structures.BitLockerVolumeStatus]::FullyEncrypted) {
    Write-Information "Enabling Bitlocker"
    Enable-BitLocker -MountPoint $env:SystemDrive -RecoveryPasswordProtector *> $null
  }
  else {
    #Check if metadata area is full
    Write-Information "Metadata Count = $($Volume.KeyProtector.Count) (should be 2)"
    if ($Volume.KeyProtector.Count -gt 2) {
      for ($i=2; $i -lt $Volume.KeyProtector.Count; $i++) {
        Write-Information "Removing Key Protector #$i"
        Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $Volume.KeyProtector[$i].KeyProtectorId > $null
      }
    }
    else { Write-Information "Metadata OK" }

    #Check if bitlocker is suspended
    Write-Information "Protection Status=$($Volume.ProtectionStatus)"
    if ($Volume.ProtectionStatus -eq [Microsoft.BitLocker.Structures.BitLockerVolumeProtectionStatus]::Off) {
      Write-Information "Resuming Bitlocker"
      Resume-BitLocker -MountPoint $env:SystemDrive > $null
    }
    else { Write-Information "Bitlocker OK" }
  }
}
else { Write-Information "TPM not enabled." }
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.