0

I am trying to enable bitlocker in all domain joined user machines in my office.

I have used a Widows task scheduler script to enable bitlocker in all machines.

But the below code is enabling bitlocker in C drive alone.

I need to enable this in all drive in the laptop. How do i proceed. I have attached the script below

$TPM = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled().Isenabled -eq 'True'} -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue


#If all of the above prequisites are met, then create the key protectors, then enable BitLocker and backup the Recovery key to AD.
if ($WindowsVer -and $TPM -and $BitLockerReadyDrive) {

#Creating the recovery key
Start-Process 'manage-bde.exe' -ArgumentList " -protectors -add $env:SystemDrive -recoverypassword" -Verb runas -Wait

#Adding TPM key
Start-Process 'manage-bde.exe' -ArgumentList " -protectors -add $env:SystemDrive  -tpm" -Verb runas -Wait
sleep -Seconds 15 #This is to give sufficient time for the protectors to fully take effect.

#Enabling Encryption
Start-Process 'manage-bde.exe' -ArgumentList " -on $env:SystemDrive -em aes256" -Verb runas -Wait

#Getting Recovery Key GUID
$RecoveryKeyGUID = (Get-BitLockerVolume -MountPoint $env:SystemDrive).keyprotector | where {$_.Keyprotectortype -eq 'RecoveryPassword'} | Select-Object -ExpandProperty KeyProtectorID

#Backing up the Recovery to AD.
manage-bde.exe  -protectors $env:SystemDrive -adbackup -id $RecoveryKeyGUID

#Restarting the computer, to begin the encryption process
Restart-Computer}
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
user284141
  • 1
  • 2
  • 4
  • 2
    Possible duplicate of [powershell script to run bitlocker](https://serverfault.com/questions/916060/powershell-script-to-run-bitlocker) – Esa Jokinen Jun 20 '18 at 06:29
  • yes..no one provided resolution for that....can you guys provide solution for above question? – user284141 Jun 20 '18 at 06:30
  • If you don't get an answer, don't duplicate your question. This is not a script writing service. Apparently you need to replace `$env:SystemDrive` with other drives and iterate. But we'd all use GP, instead, as already mentioned on the comments of your other question. – Esa Jokinen Jun 20 '18 at 06:35
  • Hi Jokinen, Thanks for your reply. I have used this link to setup this https://adameyob.com/2016/12/08/zero-touch-bitlocker-deployments/ how can i do this for other drives too. is it possible to do this without script? – user284141 Jun 20 '18 at 09:16
  • from above answer where do i add iterate for the drives please? – user284141 Jun 20 '18 at 09:22

1 Answers1

0

You could try this code to get all drives, then run the bitlocker cmdlets inside the "Foreach"

$drives = Get-Volume | Where {$_.DriveType -like "Fixed" -and $_.DriveLetter -ne $null -and $_.FileSystem -ne $null}
Foreach ($drive in $drives){
    $drive.DriveLetter
}
Olivier López Ch
  • 1