PomDesk
Script Library
PomDesk Product LibraryScript Library
Script Library
PomDesk Product LibraryScript Library
  • Active Directory
    • Bulk User Account Creation
    • Password Reset
    • User Access Review
    • Disable Inactive User Accounts
    • Bulk Group Membership Addition
    • Find Locked Out Accounts
    • Export User Information to CSV
    • Modify User Attributes
    • Reset User Group Memberships
  • Network Diagnostics and Monitoring
    • Network Ping Test
    • Bandwidth Monitoring
    • DNS Resolution Check
    • Port Availability Check
    • Trace Route
    • Packet Loss Test
    • Bandwidth Utilization Over Time
  • Backup and Recovery
    • Backup Active Directory
    • System State Backup for AD Domain Controllers
    • Backup Key Files and Folders
    • Scheduled Backup Task Creation
    • Restore AD Objects from CSV Backup
    • Restore from System State Backup
  • Disk Maintenance
    • Automated Disk Cleanup
    • Disk Health Check
    • Disk Defragmentation
    • Disk Space Monitoring and Notification
    • Find and Archive Large Files
    • Check and Repair Disk Errors
    • Enable BitLocker on C: Drive
    • Get BitLocker Encryption Status
  • Windows Computer & User
    • Disable User Account Control (UAC)
    • Reboot Device and Notify User
    • Create Local Administrator Account
Powered by GitBook
On this page
  1. Disk Maintenance

Enable BitLocker on C: Drive

This PowerShell script enables BitLocker on the C: drive and backs up the recovery key to AD or Azure AD.

# Check if BitLocker is already enabled on C: Drive
$bitlockerStatus = Get-BitLockerVolume -MountPoint "C:"

if ($bitlockerStatus.ProtectionStatus -eq "On") {
    Write-Output "BitLocker is already enabled on C: Drive."
} else {
    # Enable BitLocker with TPM protection
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -RecoveryPasswordProtector -TpmProtector -ComputerName $env:COMPUTERNAME

    # Wait for the encryption to complete
    $bitlockerEncryption = Get-BitLockerVolume -MountPoint "C:"
    while ($bitlockerEncryption.EncryptionPercentage -lt 100) {
        Write-Output "Encryption in progress... $($bitlockerEncryption.EncryptionPercentage)% completed."
        Start-Sleep -Seconds 30
        $bitlockerEncryption = Get-BitLockerVolume -MountPoint "C:"
    }

    Write-Output "Encryption completed successfully on C: Drive."
    
    # Backup recovery key to AD or Azure AD
    if ((Get-Command -Name "Add-BitLockerKeyProtector" -ErrorAction SilentlyContinue) -and ($bitlockerStatus.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" -and $_.RecoveryPassword } )) {
        # Backup to Active Directory
        Add-BitLockerKeyProtector -MountPoint "C:" -ADAccountOrGroup "Domain\YourDomainAdmins" -RecoveryPasswordProtector
        Write-Output "Recovery key backed up to Active Directory."

        # Optional: Backup to Azure AD
        # Uncomment the next line if using Azure AD
        # Add-BitLockerKeyProtector -MountPoint "C:" -AzureAD
        # Write-Output "Recovery key backed up to Azure Active Directory."
    } else {
        Write-Output "Failed to back up recovery key to AD."
    }
}

Explanation of the Script Steps

1. Check BitLocker Status: The script first checks if BitLocker is already enabled on the C: drive. If it is, a message is displayed, and the script exits.

2. Enable BitLocker: If BitLocker is not enabled, the script enables it with TPM protection and the recovery password protector. It uses AES 256-bit encryption and only encrypts used space.

3. Monitor Encryption Progress: It checks the encryption progress and waits until it is complete, displaying the percentage completed.

4. Backup Recovery Key: After enabling BitLocker, the script attempts to back up the recovery key to Active Directory. If you want to back it up to Azure AD, you can uncomment the relevant line.

2. Requirements for Azure AD Backup

For backing up the recovery key to Azure AD, ensure:

• Your system is joined to Azure AD.

• The device is registered and managed through Azure AD.

Run the Script

1. Open PowerShell as an administrator.

2. Copy and paste the above script.

3. Make sure to replace "Domain\YourDomainAdmins" with your actual domain and group.

4. Run the script.

3. Verify Recovery Key Backup

To verify that the recovery key has been backed up:

• For Active Directory: Use the Active Directory Users and Computers (ADUC) tool. Navigate to the computer object, right-click, and select Properties. Under the BitLocker Recovery tab, you should see the recovery key.

• For Azure AD: You can check via the Azure portal under Azure Active Directory > Devices. Select the device, and you should see the BitLocker recovery key.

PreviousCheck and Repair Disk ErrorsNextGet BitLocker Encryption Status

Last updated 6 months ago