You need to
- adapt the DC (Domain-Controller) IP-address
- create the hidden share on the DC (%dc%\bitlocker_keys$)
- create a GPO with the needed defaults and name it Bitlocker_01_defaults
@echo off
setlocal ENABLEDELAYEDEXPANSION
@echo Start: %date% %time% %computername%
echo %computername%
set dc=192.168.0.1
manage-bde -status %systemdrive% -p
If errorlevel 0 goto error0
If errorlevel -1 goto error-1
Goto end
:error0
echo %systemdrive% is encrypted
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- %systemdrive% is encrypted"
ping %dc% -n 1 -w 1000 -4 | find /i "TTL" >nul 2>&1
set ping_ad=%errorlevel%
if %ping_ad% == 0 (
echo DC is reachable
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- %dc% is reachable"
mkdir \\%dc%\bitlocker_keys$\status
echo %computername% > \%dc%\bitlocker_keys$\status\status_%computername%.txt
echo Start: %date% %time% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
manage-bde -status %systemdrive% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
echo End: %date% %time% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
)
if %ping_ad% == 1 (
echo DC is NOT reachable
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- %dc% is NOT reachable"
goto end
)
Goto end
:error-1
echo %systemdrive% is not encrypted
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- %systemdrive% is NOT encrypted"
manage-bde -status %systemdrive% | findstr /L /C:"Conversion"|findstr /L /C:"Decrypted"
set conv_stat_full=%errorlevel%
echo conv_stat_full %conv_stat_full%
manage-bde -status %systemdrive% | findstr /L /C:"Conversion"|findstr /L /C:"Decryption"
set conv_decrypting=%errorlevel%
echo conv_decrypting %conv_decrypting%
manage-bde -status %systemdrive% | findstr /L /C:"Conversion"|findstr /L /C:"Encryption"
set conv_encrypting=%errorlevel%
echo conv_encrypting %conv_encrypting%
ping %dc% -n 1 -w 1000 -4 | find /i "TTL" >nul 2>&1
set ping_ad=%errorlevel%
if %ping_ad%==1 (
echo DC is NOT reachable
goto end
)
gpresult /Scope Computer /R|findstr Bitlocker_01_defaults
set gpupdate_status=%errorlevel%
if %gpupdate_status%==0 (
echo GPO is up to date
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- GPO is existing"
)
if %gpupdate_status%==1 (
echo GPO was not updated
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- GPO is NOT existing. Updating GPOs now."
start /wait /b gpupdate /Target:Computer /force
)
gpresult /Scope Computer /R|findstr Bitlocker_01_defaults
set gpupdate_status=%errorlevel%
if %gpupdate_status%==1 (
echo GPO is NOT up to date
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- GPO is NOT existing. Please move the computer to the correct OU"
goto end
)
if %ping_ad%==0 (
echo DC is reachable
echo %computername% > \%dc%\bitlocker_keys$\status\status_%computername%.txt
echo Start: %date% %time% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
REM start /wait /b gpupdate /Target:Computer /force
if %conv_stat_full% == 0 (
echo Disk is Decrypted
powershell Enable-BitLocker -MountPoint "C:" -RecoveryPasswordProtector -SkipHardwareTest
manage-bde -protectors -get %systemdrive% > \\%dc%\bitlocker_keys$\Key_%computername%.txt
)
if %conv_decrypting% == 0 (
echo Disk is decrypting
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- disk is DEcrypting"
)
if %conv_encrypting% == 0 (
echo Disk is encrypting
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- disk is ENcrypting"
)
manage-bde -status %systemdrive% >> \\%dc%\bitlocker_keys$\status\status_%computername%.txt
echo End: %date% %time% >> \\%dc%\bitlocker_keys$\status\status_%computername%.txt
)
Goto end
:end
@echo End: %date% %time%
exit