BitLocker clean up

Update 2021-03-12: I have corrected the description of this script to be more accurate.

I have used this script on PC clients in production to check if BitLocker is already enabled and that the necessary protectors are created. If not, the script will add a TPM protector and a recovery password protector which will be backed up in AD. The script will also resume BitLocker protection of the OS volume if it has been suspended.

# Define log file name and location
$LogPath = "C:\temp"
$LogFileName = "$env:COMPUTERNAME.log"
$LogFile = "$LogPath\$LogFileName"
 
function LogWrite([string]$LogString) {
	try {
        Add-content $script:LogFile -value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') $LogString" -force -ErrorAction Stop
    }
	catch {
        Write-Warning $_.Exception.Message
    }
}
 
#Initialize log file location
if (!(Test-Path $LogPath))
{
	try {
		New-Item $LogPath -type directory -ErrorAction Stop | Out-Null
	}
	catch {
		$LogFile = "c:\Windows\Temp\$LogFileName"
		Write-Warning "Log folder could not be created in chosen location. Log saved to c:\Windows\Temp instead."
		Write-Warning ("$($_.Exception.Message)")
	}
}
 
LogWrite "### START OF SCRIPT ###"
LogWrite "Running script as $env:username"

#Check status of current BitLocker volume (c:)
LogWrite "Checking status of TPM and BitLocker"
$TPMactive = (Get-WMIObject -Namespace "root\cimv2\security\microsofttpm" -Class 'win32_tpm').IsActivated_InitialValue
LogWrite "TPM active status: $TPMactive"
$TPMenabled = (Get-WMIObject -Namespace "root\cimv2\security\microsofttpm" -Class 'win32_tpm').IsEnabled_InitialValue
LogWrite "TPM enabled status: $TPMenabled"
$TPMowned = (Get-WMIObject -Namespace "root\cimv2\security\microsofttpm" -Class 'win32_tpm').IsOwned_InitialValue
LogWrite "TPM owned status: $TPMowned"
$BitlockerProtectionStatus = (Get-BitLockerVolume -MountPoint c:).protectionstatus
LogWrite "BitLocker protection status: $BitlockerProtectionStatus"
$BitLockerVolumeStatus = (Get-BitLockerVolume -MountPoint c:).volumestatus
LogWrite "BitLocker encryption status: $BitLockerVolumeStatus"
$BitLockerEncryptionPercentage = (Get-BitLockerVolume -MountPoint c:).encryptionpercentage
LogWrite "BitLocker encryption percentage: $BitLockerEncryptionPercentage"

#Break if disk is not encrypted
if ($BitLockerEncryptionPercentage -ne 100) {
    LogWrite "Volume is not encrypted. Stopping script!"
    break
}

#Break if TPM is not ready
if (($TPMactive -ne $true) -or ($TPMenabled -ne $true) -or ($TPMowned -ne $true)) {
    LogWrite "TPM is not ready. Stopping script!"
    break
}


# Get the encryptable volume object for the OS disk
$volume = Get-WMIObject -Namespace "root/CIMV2/Security/MicrosoftVolumeEncryption" -Class 'Win32_EncryptableVolume' -Filter "DriveLetter='C:'"
LogWrite "Checking protectors on $($volume.DriveLetter)"

# Get the ID of the existing Recovery Password protector for the volume
LogWrite "Trying to find a recovery password protector"
[array]$RPWprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 3}


if (($RPWprotectorID.count -eq 0) -or ($RPWprotectorID -eq $null)) {
    LogWrite "No Recovery Password protectors found"
    #create new RPW protector
    LogWrite "Trying to create a new Recovery Password protector"
    try {
        Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector
        [array]$RPWprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 3}
        LogWrite "Succesfully created a new Recovery Password protector: $($RPWprotectorID[0])"
        LogWrite "Trying to backup the recovery password to AD"
        Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $($RPWprotectorID[0])
        LogWrite "Succesfully backed up the recovery password"
        $RPWprotectorStatus = $true
    }
    catch {
        LogWrite "Failed to create the new recovery password protector or backup the password to AD"
        LogWrite "$($_.Exception.Message)"
        $RPWprotectorStatus = $false
    }
} else {
    LogWrite "Found this Recovery Password protector: $($RPWprotectorID[0])"
    $RPWprotectorStatus = $true
}

#backup Recovery Password protector to AD (only first one)
if ($RPWprotectorStatus -eq $true) {
    Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $($RPWprotectorID[0])
    #manage-bde.exe -protectors -adbackup c: -id $RPWprotectorID[0]
}

# Get the ID of the existing TPM protector for the volume
LogWrite "Trying to find a TPM protector"
$TPMprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 1}

if ($TPMprotectorID -eq $null) {
    LogWrite "No TPM protector found"
    #create new TPM protector
    LogWrite "Trying to create a new TPM protector"
    try {
        Add-BitLockerKeyProtector -MountPoint c: -TpmProtector
        $TPMprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 1}
        LogWrite "Succesfully created a new TPM protector: $TPMprotectorID"
        $TPMprotectorStatus = $true
    }
    catch {
        LogWrite "Failed to create new TPM protector"
        LogWrite "$($_.Exception.Message)"
        $TPMprotectorStatus = $false
    }
} else {
    LogWrite "Found this TPM protector: $TPMprotectorID"
    $TPMprotectorStatus = $true
}


# Get the TPM Platform Validation Profile (PCRs) for the TPM protector
$PCRs = $volume.GetKeyProtectorPlatformValidationProfile($TPMprotectorID).PlatformValidationProfile
if ($PCRs.Count -ne 0) {LogWrite "The TPM has these active PCRs: $PCRs"}

#Enable (resume) Bitlocker
if ($BitlockerProtectionStatus -ne "On") {
    LogWrite "BitLocker protection is currently OFF"
    if (($TPMprotectorStatus -eq $true) -and ($RPWprotectorStatus -eq $true)) {
        LogWrite "Trying to enable (resume) BitLocker"
        try {
            #manage-bde.exe -protectors -enable c:
            Resume-BitLocker -MountPoint c:
            LogWrite "Succesfully resumed BitLocker for $($volume.DriveLetter)"
        }
        catch {
            LogWrite "Failed to resume BitLocker for $($volume.DriveLetter)"
            LogWrite "$($_.Exception.Message)"
        }
    } else {
        LogWrite "Could not resume BitLocker because of missing TPM and/or Recovery Password protectors"
    }
} else {
    LogWrite "BitLocker protection is already ON. No further actions are necessary"
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

# Define log file name and location

$LogPath = "C:\temp"

$LogFileName = "$env:COMPUTERNAME.log"

$LogFile = "$LogPath\$LogFileName"

function LogWrite([string]$LogString) {

try {

Add-content $script:LogFile -value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') $LogString" -force -ErrorAction Stop

}

catch {

Write-Warning $_.Exception.Message

}

#Initialize log file location

if (!(Test-Path $LogPath))

{

try {

New-Item $LogPath -type directory -ErrorAction Stop | Out-Null

}

catch {

$LogFile = "c:\Windows\Temp\$LogFileName"

Write-Warning "Log folder could not be created in chosen location. Log saved to c:\Windows\Temp instead."

Write-Warning ("$($_.Exception.Message)")

}

LogWrite "### START OF SCRIPT ###"

LogWrite "Running script as $env:username"

#Check status of current BitLocker volume (c:)

LogWrite "Checking status of TPM and BitLocker"

$TPMactive = (Get-WMIObject -Namespace "root\cimv2\security\microsofttpm" -Class 'win32_tpm').IsActivated_InitialValue

LogWrite "TPM active status: $TPMactive"

$TPMenabled = (Get-WMIObject -Namespace "root\cimv2\security\microsofttpm" -Class 'win32_tpm').IsEnabled_InitialValue

LogWrite "TPM enabled status: $TPMenabled"

$TPMowned = (Get-WMIObject -Namespace "root\cimv2\security\microsofttpm" -Class 'win32_tpm').IsOwned_InitialValue

LogWrite "TPM owned status: $TPMowned"

$BitlockerProtectionStatus = (Get-BitLockerVolume -MountPoint c:).protectionstatus

LogWrite "BitLocker protection status: $BitlockerProtectionStatus"

$BitLockerVolumeStatus = (Get-BitLockerVolume -MountPoint c:).volumestatus

LogWrite "BitLocker encryption status: $BitLockerVolumeStatus"

$BitLockerEncryptionPercentage = (Get-BitLockerVolume -MountPoint c:).encryptionpercentage

LogWrite "BitLocker encryption percentage: $BitLockerEncryptionPercentage"

#Break if disk is not encrypted

if ($BitLockerEncryptionPercentage -ne 100) {

LogWrite "Volume is not encrypted. Stopping script!"

break

}

#Break if TPM is not ready

if (($TPMactive -ne $true) -or ($TPMenabled -ne $true) -or ($TPMowned -ne $true)) {

LogWrite "TPM is not ready. Stopping script!"

break

}

# Get the encryptable volume object for the OS disk

$volume = Get-WMIObject -Namespace "root/CIMV2/Security/MicrosoftVolumeEncryption" -Class 'Win32_EncryptableVolume' -Filter "DriveLetter='C:'"

LogWrite "Checking protectors on $($volume.DriveLetter)"

# Get the ID of the existing Recovery Password protector for the volume

LogWrite "Trying to find a recovery password protector"

[array]$RPWprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 3}

if (($RPWprotectorID.count -eq 0) -or ($RPWprotectorID -eq $null)) {

LogWrite "No Recovery Password protectors found"

#create new RPW protector

LogWrite "Trying to create a new Recovery Password protector"

try {

Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector

[array]$RPWprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 3}

LogWrite "Succesfully created a new Recovery Password protector: $($RPWprotectorID[0])"

LogWrite "Trying to backup the recovery password to AD"

Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $($RPWprotectorID[0])

LogWrite "Succesfully backed up the recovery password"

$RPWprotectorStatus = $true

}

catch {

LogWrite "Failed to create the new recovery password protector or backup the password to AD"

LogWrite "$($_.Exception.Message)"

$RPWprotectorStatus = $false

}

} else {

LogWrite "Found this Recovery Password protector: $($RPWprotectorID[0])"

$RPWprotectorStatus = $true

}

#backup Recovery Password protector to AD (only first one)

if ($RPWprotectorStatus -eq $true) {

Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $($RPWprotectorID[0])

#manage-bde.exe -protectors -adbackup c: -id $RPWprotectorID[0]

}

# Get the ID of the existing TPM protector for the volume

LogWrite "Trying to find a TPM protector"

$TPMprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 1}

if ($TPMprotectorID -eq $null) {

LogWrite "No TPM protector found"

#create new TPM protector

LogWrite "Trying to create a new TPM protector"

try {

Add-BitLockerKeyProtector -MountPoint c: -TpmProtector

$TPMprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 1}

LogWrite "Succesfully created a new TPM protector: $TPMprotectorID"

$TPMprotectorStatus = $true

}

catch {

LogWrite "Failed to create new TPM protector"

LogWrite "$($_.Exception.Message)"

$TPMprotectorStatus = $false

}

} else {

LogWrite "Found this TPM protector: $TPMprotectorID"

$TPMprotectorStatus = $true

}

# Get the TPM Platform Validation Profile (PCRs) for the TPM protector

$PCRs = $volume.GetKeyProtectorPlatformValidationProfile($TPMprotectorID).PlatformValidationProfile

if ($PCRs.Count -ne 0) {LogWrite "The TPM has these active PCRs: $PCRs"}

#Enable (resume) Bitlocker

if ($BitlockerProtectionStatus -ne "On") {

LogWrite "BitLocker protection is currently OFF"

if (($TPMprotectorStatus -eq $true) -and ($RPWprotectorStatus -eq $true)) {

LogWrite "Trying to enable (resume) BitLocker"

try {

#manage-bde.exe -protectors -enable c:

Resume-BitLocker -MountPoint c:

LogWrite "Succesfully resumed BitLocker for $($volume.DriveLetter)"

}

catch {

LogWrite "Failed to resume BitLocker for $($volume.DriveLetter)"

LogWrite "$($_.Exception.Message)"

}

} else {

LogWrite "Could not resume BitLocker because of missing TPM and/or Recovery Password protectors"

}

} else {

LogWrite "BitLocker protection is already ON. No further actions are necessary"

}

2 Comments

Join the discussion and tell us your opinion.

Lewisreply

2020-12-24 at 17:40

Thank you for your nice script! I have tested it and it did not trigger the encryption. How to allow the TPMprotector and send the key to AD?

windowstechreply

2021-03-12 at 11:36

Hi Lewis
Sorry for the late reply. I have corrected the description of the script…it does not start the encryption process after all. To modify which protectors are allowed you could set this with a GPO: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#require-additional-authentication-at-startup

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Who am I?

Categories

Administration

BitLocker clean up

2 Comments

Leave a reply Cancel reply

Who am I?

Categories

Tags

Administration

2 Comments

Leave a reply Cancel reply