Skip to content

Enabling bitlocker for all fixed volumes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
## Initialize TPM
Initialize-Tpm

## Get fixed drives
$volumes = (Get-WmiObject -Class Win32_LogicalDisk |
  Where-Object -FilterScript {
    $_.drivetype -eq 3
  } |
  ForEach-Object -Process {
    Get-PSDrive -Name $_.deviceid[0]
}).Name

foreach ($volume in $volumes)
{
  $volume += ':'

  ## Enable encryption
  Enable-BitLocker -MountPoint $volume -SkipHardwareTest -UsedSpaceOnly -RecoveryPasswordProtector

  if ($volume -ne 'c:')
  {
    Enable-BitLockerAutoUnlock $volume
  }
  ## Create required registry entries to backup recovery information to AD
  New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Force
  New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSActiveDirectoryBackup -Value 1 -PropertyType DWORD -Force
  New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSRecovery -Value 1 -PropertyType DWORD -Force

  $KeyProtectorID = ((Get-BitLockerVolume -MountPoint $volume).KeyProtector | Where-Object -Property KeyProtectorType -EQ -Value RecoveryPassword).KeyProtectorID
  Backup-BitLockerKeyProtector -MountPoint "$volume" -KeyProtectorId "$KeyProtectorID"
}