Maintenance

Enable Bitlocker on C: Drive and Backup to AD or Azure AD

Atera | May 26, 2020

Let’s face it, using your pet’s name and some random numbers and symbols as your device password just doesn’t cut it anymore. These days, hackers can bypass even the most creative of passwords, so it’s important to have a more secure solution. That’s where BitLocker encryption comes in. By encrypting the data on your device, BitLocker can help ensure that your sensitive data stays safe even if your device is lost or stolen.

This script makes it easy to enable BitLocker encryption on your C drive, providing you with the highest level of protection. And we know that even the best of us can forget our passwords from time to time. That’s why this script also lets you back up your recovery key to Active Directory or Azure AD, you can access your data even if you forget your password or if there’s a problem with the encryption.

With this script, you can have peace of mind knowing that your data is safe and secure. So give it a try and protect your devices like your neighbor protects his Wi-Fi password (we’re guessing he doesn’t use his pet’s name…).

The Script:

Atera does not guarantee the integrity, availability, security, virus-free, safety, lawfulness, non-infringement, rights’ status, or functionality of the scripts. The use of the shared scripts is at your own risk. Scripts are provided “AS IS”. *

File Type: Ps1






#Enable Bitlocker on C: Drive 


Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector 


#Backup Bitlocker Recovery Key to AD or AAD depending on if system is Azure / AD joined. 


(Get-BitLockerVolume -MountPoint $volume.MountPoint).KeyProtector | 
Where-Object { 
$_.KeyProtectorType -eq 'RecoveryPassword' 
} | 
Foreach-Object { 
$key = "$($_.KeyProtectorId)"
}


#Checks to see if system is domain joined - If AD Joined backs up to AD otherwise Backs up Recovery key to AAD. 


if ((gwmi win32_computersystem).partofdomain -eq $true) { 
Manage-BDE -Protectors -ADBackup C: -ID "$key" 
} 
else{ 
Manage-BDE -Protectors -AADBackup C: -ID "$key"

Script copied to clipboard

Is there anything I need to do to prepare my device or Active Directory for the script to run successfully?
Yes, you need to make sure that your device is running Windows 10 Pro or later or Windows Server 2016 or later, and that you have the appropriate permissions to write the recovery key to Active Directory. It is also recommended that you review this site to prepare Active Directory for recovery key storage: https://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/
Can I customize the script to use different encryption settings or recovery key backup locations?
Yes, the script can be customized to use different encryption settings or recovery key backup locations.
Can I use this script to encrypt drives other than the C: drive? What about on removal drives or external hard drives?
This script is designed to encrypt only the C: drive. If you need to encrypt other drives, you can modify the script to include additional commands for those drives. To modify the script to enable BitLocker on removable drives or external hard drives, you can change the MountPoint parameter to the appropriate drive letter.
How often should I back up my recovery key?
You should back up your recovery key as soon as BitLocker encryption is enabled, and then periodically thereafter. A good rule of thumb is to back up your recovery key every time you make significant changes to your system or data.
What happens if I forget my BitLocker password and lose my recovery key?
If you forget your BitLocker password and lose your recovery key, you may not be able to access your data. In some cases, you may need to format the drive and start over. To avoid this situation, make sure to keep your recovery key in a secure location and to create a backup of it.

Technical Notes:

Note that specific permissions and access rights are required to write the BitLocker recovery key to Active Directory. By default, only members of the Domain Admins group or the Enterprise Admins group have these permissions. Make sure to adjust the necessary permissions in Active Directory before running the script for a smooth backup process.
The script uses the XtsAes128 encryption method.
-ADBackup: parameter used to backup the recovery key to Active Directory if the system is domain joined.
-AADBackup: parameter used to backup the recovery key to Azure Active Directory if the system is not domain joined.

Explore other Scripts

Splashtop

Align Splashtop display name with computer name

March 30, 2022

Run this useful script to update your Splashtop display name and align with local changes made to a computer!

Network

Find wifi password on windows 10 script

Atera | March 22, 2020

Given that you typically only need to insert your wifi password once on each device and it remembers it forever and ever, it makes sense why almost no one ever has their wifi password memorized, not to mention if you’re an MSP managing hundreds of devices. If you don’t remember a WiFi password you’ve previously […]

* Scripts are provided for your benefit. You understand and acknowledge that when downloading and/or copying and/or using the Scripts: (i) you may be exposed to Scripts from a variety of sources, (ii) Atera is not responsible and takes no liability for the accuracy, usefulness, integrity, lawfulness, title or infringement, security, functionality or Intellectual Property Rights of, or relating to, such Scripts; and (iii) the Scripts are provided “AS IS” and “AS AVAILABLE”, and may have errors, and may not be malware-free, and that your interactions with, and use of, the Scripts is at your sole risk and free will. You hereby agree to waive, and hereby do waive, any legal or equitable rights or remedies you may have against Atera with respect to the Scripts.