Bitlocker – encrypt systemdrive (english localization)

You need to

  • adapt the DC (Domain-Controller) IP-address
  • create the hidden share on the DC (%dc%\bitlocker_keys$)
  • create a GPO with the needed defaults and name it Bitlocker_01_defaults
@echo off
setlocal ENABLEDELAYEDEXPANSION
@echo Start: %date% %time% %computername%
echo %computername%
set dc=192.168.0.1

manage-bde -status %systemdrive% -p
If errorlevel 0 goto error0
If errorlevel -1 goto error-1

Goto end

:error0
echo %systemdrive% is encrypted
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- %systemdrive% is encrypted"
ping %dc% -n 1 -w 1000 -4 | find /i "TTL" >nul 2>&1
set ping_ad=%errorlevel%
if %ping_ad% == 0 (
echo DC is reachable
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- %dc% is reachable"
mkdir \\%dc%\bitlocker_keys$\status
echo %computername% > \%dc%\bitlocker_keys$\status\status_%computername%.txt
echo Start: %date% %time% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
manage-bde -status %systemdrive% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
echo End: %date% %time% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
)
if %ping_ad% == 1 (
echo DC is NOT reachable
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- %dc% is NOT reachable"
goto end
)
Goto end

:error-1
echo %systemdrive% is not encrypted
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- %systemdrive% is NOT encrypted"
manage-bde -status %systemdrive% | findstr /L /C:"Conversion"|findstr /L /C:"Decrypted"
set conv_stat_full=%errorlevel%
echo conv_stat_full %conv_stat_full%

manage-bde -status %systemdrive% | findstr /L /C:"Conversion"|findstr /L /C:"Decryption" 
set conv_decrypting=%errorlevel%
echo conv_decrypting %conv_decrypting%

manage-bde -status %systemdrive% | findstr /L /C:"Conversion"|findstr /L /C:"Encryption" 
set conv_encrypting=%errorlevel%
echo conv_encrypting %conv_encrypting%

ping %dc% -n 1 -w 1000 -4 | find /i "TTL" >nul 2>&1
set ping_ad=%errorlevel%
if %ping_ad%==1 (
echo DC is NOT reachable
goto end
)

gpresult /Scope Computer /R|findstr Bitlocker_01_defaults
set gpupdate_status=%errorlevel%
if %gpupdate_status%==0 (
echo GPO is up to date
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 200 /D "%~0 -- GPO is existing"
)
if %gpupdate_status%==1 (
echo GPO was not updated
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- GPO is NOT existing. Updating GPOs now."
start /wait /b gpupdate /Target:Computer /force
)
gpresult /Scope Computer /R|findstr Bitlocker_01_defaults
set gpupdate_status=%errorlevel%
if %gpupdate_status%==1 (
echo GPO is NOT up to date
eventcreate /L APPLICATION /T INFORMATION /SO %~n0%~x0 /ID 404 /D "%~0 -- GPO is NOT existing. Please move the computer to the correct OU"
goto end
)

if %ping_ad%==0 (
echo DC is reachable
echo %computername% > \%dc%\bitlocker_keys$\status\status_%computername%.txt
echo Start: %date% %time% >> \%dc%\bitlocker_keys$\status\status_%computername%.txt
REM start /wait /b gpupdate /Target:Computer /force

if %conv_stat_full% == 0 (
            echo Disk is Decrypted 
            powershell Enable-BitLocker -MountPoint "C:" -RecoveryPasswordProtector -SkipHardwareTest
            manage-bde -protectors -get %systemdrive% > \\%dc%\bitlocker_keys$\Key_%computername%.txt
            )
if %conv_decrypting% == 0 (
            echo Disk is decrypting
            eventcreate /L APPLICATION /T INFORMATION  /SO %~n0%~x0  /ID 200 /D "%~0 -- disk is DEcrypting" 
            )
if %conv_encrypting% == 0 (
            echo Disk is encrypting 
            eventcreate /L APPLICATION /T INFORMATION  /SO %~n0%~x0  /ID 200 /D "%~0 -- disk is ENcrypting" 
            )
    manage-bde -status %systemdrive% >> \\%dc%\bitlocker_keys$\status\status_%computername%.txt
    echo End: %date% %time% >> \\%dc%\bitlocker_keys$\status\status_%computername%.txt
    )

Goto end

:end
@echo End: %date% %time%
exit

Leave a Reply

Your email address will not be published. Required fields are marked *