Enable BitLocker on OS Drive with TPM Protection

Caution

Scripts and snippets are provided “AS IS” and come with no warranties.
Review the script before executing it on your systems. Always test in a safe environment first.

Overview

This script attempts to enable BitLocker on the operating system drive with TPM protection. It checks if BitLocker is already enabled and if the TPM is ready before proceeding.

It can be used to assist in the deployment of BitLocker against endpoints, ensuring that the operating system drive is protected with at least a TPM key protector.

It can be used in conjunction with the Test BitLocker OS Drive Key Protector Types script to automate the process of enabling BitLocker on multiple endpoints and working with users to setup approved key protector types (TPM+PIN or TPM+Password).

It’s best paired with an RMM tool which can evaluate the script’s output and create issues or tickets.

• Example: running the script across an entire company via the RMM tool, evaluating the output for Restart the computer to run a hardware test. and triggering a scheduled reboot and or creating a ticket to inform the user to reboot.

Usage

Caution

Make sure you have backups and a recovery method such as storing the recovery key in AD DS database or Azure AD before enabling BitLocker. This can be accomplished with a GPO by following the path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption Find and adjust the following policy: Store BitLocker recovery information in Active Directory Domain Services (AD DS)

Option 1: Run directly from the web

Run the following command in an elevated PowerShell session:

iex (iwr -UseBasicParsing https://techdocsoffline.com/powershell-snippets/EnableBitLockerOnOSDrive.ps1)

Option 2: Download and run locally

1. Download the script:

Invoke-WebRequest -Uri https://techdocsoffline.com/powershell-snippets/EnableBitLockerOnOSDrive.ps1 -OutFile EnableBitLockerOnOSDrive.ps1

2. Run the script with administrative privileges:

.\EnableBitLockerOnOSDrive.ps1

Script Details

EnableBitLockerOnOSDrive.ps1

# =============================================================================
# Script Name: Enable BitLocker on OS Drive
# Version:     1.0.0
# =============================================================================
#
# DESCRIPTION:
# Attempts to enable BitLocker on the operating system drive with TPM protection.
#
# DISCLAIMER:
# This script is provided "AS IS" without warranties of any kind.
# Always review scripts from the internet before executing them.
#
# =============================================================================

# Check if the script is running with administrative privileges
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
    Write-Host "This script must be run as an administrator." -ForegroundColor Red
    exit
}

$bitlockerOSVolMountPoint = $null

Write-Host "Checking Prerequisites..."

# Check if BitLocker is already protecting OS drive

Write-Host "Checking if BitLocker is already enabled"

$bitlockerVolumes = Get-BitLockerVolume

foreach ($volume in $bitlockerVolumes) {
    if ($volume.VolumeType -like "OperatingSystem") {
        Write-Host "Found mount point for OS..."
        # Set the OS mount point variable, will be used later
        $bitlockerOSVolMountPoint = $volume.MountPoint
        Get-Variable bitlockerOSVolMountPoint
        Write-Host

        # Check if OS has BDE protection turned on
        if ($volume.ProtectionStatus -eq "On") {
            Write-Host "BitLocker protection is already enabled for Operating System drive. Exiting."
            return
        }
    }

}

Write-Host "BitLocker does not seem to be protecting the operating system drive, continuing."

# Check if TPM is ready

Write-Host "Checking if TPM is ready"

$tpm = Get-TPM

if ($tpm.TpmReady -ne $True) {
    Write-Error "TPM is not ready! Aborting."
    return
}

Write-Host "TPM is ready, continuing."

# Enable BitLocker

Write-Host "Prereq check done, enabling BitLocker with TPM/Recovery Password key protector"

Enable-BitLocker -MountPoint $bitlockerOSVolMountPoint -TpmProtector

Parameters

No parameters are required for this script.

Examples

# Run the script
.\EnableBitLockerOnOSDrive.ps1

Checking Prerequisites...
Checking if BitLocker is already enabled
Found mount point for OS...

Name                           Value
----                           -----
bitlockerOSVolMountPoint       C:

BitLocker does not seem to be protecting the operating system drive, continuing.
Checking if TPM is ready
TPM is ready, continuing.
Prereq check done, enabling BitLocker with TPM/Recovery Password key protector
WARNING: ACTIONS REQUIRED:

1. Restart the computer to run a hardware test.
    (Type: get-help Restart-Computer for command line instructions.)

ComputerName         : DESKTOP-VC6ETRP
MountPoint           : C:
EncryptionMethod     : None
AutoUnlockEnabled    :
AutoUnlockKeyStored  : False
MetadataVersion      : 2
VolumeStatus         : FullyDecrypted
ProtectionStatus     : Off
LockStatus           : Unlocked
EncryptionPercentage : 0
WipePercentage       : 0
VolumeType           : OperatingSystem
CapacityGB           : 126.3498
KeyProtector         : {Tpm}