Invoke-BitLockerWithTpmAndNumricalKeyProtectors
12/29/2013 15:44<#
.Synopsis
Invokes BitLocker on a drive.
.DESCRIPTION
Invokes BitLocker Drive Encryption on an Encryptable Volume with a TPM and Numrical Password Key Protectors.
If the Trusted Platform Module is not currently owned, ownership will be taken with randomized 15 character password.
.EXAMPLE
Invoke-BitLockerWithTpmAndNumricalKeyProtectors
.EXAMPLE
Invoke-BitLockerWithTpmAndNumricalKeyProtectors -ComputerName "mycomputer.mydomain.org" -DriveLetter C: -ADKeyBackup $false
.NOTES
ADKeyBackup switch requires proper TPM ACL Delegation in Active Directory to be used.
This function will resume encryption if currently paused, or suspended.
The Get-TpmStatus and Get-BitLockerStatus cmdlets are required.
.LINKS
https://github.com/necromorph1024/HpTpmAndBitLocker
https://thomas-malkewitz.webnode.com/news/get-tpmstatus/
https://thomas-malkewitz.webnode.com/news/get-bitlockerstatus/
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376483%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx
#>
function Invoke-BitLockerWithTpmAndNumricalKeyProtectors
{
[CmdletBinding()]
[OutputType([void])]
Param
(
# ComputerName, Type string, System to invoke BitLocker against.
[Parameter(Mandatory=$false,
Position=0)]
[string]
$ComputerName=$env:COMPUTERNAME,
# DriveLetter, Type string, Drive letter to invoke BitLocker against. if NullOrEmpty the SystemDrive will be used.
[Parameter(Mandatory=$false,
Position=1)]
[ValidatePattern('[a-zA-Z]:')]
[string]$DriveLetter,
# ADKeyBackup, Type switch, Backups recovery information to the AD DS Object.
[Parameter(Mandatory=$false,
position=2)]
[switch]
$ADKeyBackup=$false
)
Begin
{
if (-not(Get-TpmStatus -ComputerName $ComputerName))
{
throw (Get-TpmStatus -ComputerName $ComputerName -Verbose)
}
}
Process
{
$tpm=Get-WmiObject -Class Win32_Tpm -Namespace "root\CIMV2\Security\MicrosoftTpm" -ComputerName $ComputerName -ErrorAction Stop
if (-not($tpm.IsOwned_InitialValue))
{
$charArray="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".ToCharArray()
$random=""
for ($x=0; $x -lt 15; $x++)
{
$random+=$charArray | Get-Random
}
$tpm.TakeOwnership($tpm.ConvertToOwnerAuth($random).OwnerAuth)
}
if (-not($DriveLetter))
{
try
{
$drive=Get-WmiObject Win32_OperatingSystem -Namespace "root\CIMV2" -ComputerName $ComputerName -Property SystemDrive -ErrorAction Stop
$volume=Get-WmiObject -Class Win32_EncryptableVolume -Namespace "root\CIMV2\Security\MicrosoftVolumeEncryption" -Filter "DriveLetter = '$($drive.SystemDrive)'" -ComputerName $ComputerName -ErrorAction Stop
}
catch
{
Write-Error "Unable to connect to the necassary WMI Namespaces, to get the system drive. Verfy that you have sufficent rights to connect to the Win32_OperatingSystem and Win32_EncryptableVolume Namespaces."
return $false
}
}
else
{
$volume=Get-WmiObject -Class Win32_EncryptableVolume -Namespace "root\CIMV2\Security\MicrosoftVolumeEncryption" -Filter "DriveLetter = '$DriveLetter'" -ComputerName $ComputerName -ErrorAction Stop
if ($volume -eq $null)
{
Write-Error "Unable to enumarate the Win32_EncryptableVolume Namespace for $DriveLetter. Please make sure the drive letter is correct and that the volume is accessable."
return $false
}
}
if (-not($volume.GetKeyProtectors(3).VolumeKeyProtectorID))
{
$volume.ProtectKeyWithNumericalPassword()
if ($ADKeyBackup)
{
try
{
$volume.BackupRecoveryInformationToActiveDirectory($volume.GetKeyProtectors(3).VolumeKeyProtectorID)
}
catch
{
throw "There was an error backing up the information to AD DS, ensure the proper infrustructer settings are inplace to use this option."
}
}
}
if (-not($volume.GetKeyProtectors(1).VolumeKeyProtectorID))
{
$volume.ProtectKeyWithTPM() | Out-Null
}
switch ($volume.GetConversionStatus().ConversionStatus)
{
0 { $volume.Encrypt() | Out-Null }
1 { if ($volume.ProtectionStatus -eq 0) { $volume.EnableKeyProtectors() | Out-Null } }
4 { $volume.ResumeConversion() | Out-Null }
}
}
End
{
Get-BitLockerStatus -ComputerName $ComputerName -DriveLetter $volume.DriveLetter -Verbose
}
}
Tags:
———
Back