Как настроить шифрование компьютеров на базе win 10 – 11 в Active Directory с помощью BitLocker , gpo и PowerShell c сохранением ключей

Windows Components/ BitLocker Drive Encryption/ Fixed Data Drives
Choose how BitLocker-protected fixed drives can be recovered Enabled

Enforce drive encryption type on fixed data drives

 

Configure use of hardware-based encryption for operating system drives

 

 

Для включения bitlocker  задействовал PowerShell

 

Скрипт для включения . За основу брал https://gist.github.com/jesseloudon/7f7482916c2c4c993948c2157a537045 но много что изменил .

 

# Start logging
$computerName = $env:COMPUTERNAME
Start-Transcript -Path "\\shara\log tmp$\temp\transcript_$computerName.txt" -Force


## Function to check if drives (including the system drive) are encrypted | Where-Object -Property MountPoint -notLike "c:*"
#function Check-IfDrivesEncrypted {
#    $drives = Get-BitLockerVolume -ErrorAction SilentlyContinue 
#    foreach ($drive in $drives) {
#        if ($drive.VolumeStatus -eq "FullyEncrypted") {
#            return $true
#        }
#    }
#    return $false
#}
#
## Check if drives are encrypted
#if (Check-IfDrivesEncrypted) {
#    Write-Output "One or more drives are already encrypted. The script is terminating."
#    Stop-Transcript
#    exit
#}
#Write-Output "Drives are not encrypted. Continuing script execution."

# Check prerequisites for BitLocker
$TPMEnabled = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | Where-Object { $_.IsEnabled_InitialValue -eq $true } -ErrorAction SilentlyContinue
$TPMReady = Initialize-Tpm -AllowClear -AllowPhysicalPresence | Where-Object { $_.TPMReady -eq $true } -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue

$BitLockerDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | 
Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } | 
Get-Disk | 
Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } | 
Get-Partition | `
Where-Object { $_.DriveLetter } | 
Select-Object -ExpandProperty DriveLetter | 
ForEach-Object {
    $driveLetter = "$($_):"
    $volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
   
    if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*" ) {
        Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue | 
        Where-Object { $_.VolumeStatus -eq "FullyDecrypted" -and $_.mountpoint -ne 'C:'}
        #$driveLetter
    }
} 
#-ErrorAction SilentlyContinue

Write-Output "$BitLockerDecrypted"

# Check if drives are decrypted
$IsDecrypted = Get-WmiObject -Class MSFT_PhysicalDisk -Namespace root\Microsoft\Windows\Storage | 
    Where-Object { $_.MediaType -eq 3 -or $_.MediaType -eq 4 } | 
    Get-Disk | 
    Where-Object { $_.BusType -ne 'USB' -and $_.BusType -ne 'SD' } | 
    Get-Partition | 
    Where-Object { $_.DriveLetter } | 
    Select-Object -ExpandProperty DriveLetter | 
    ForEach-Object {
        $driveLetter = "$($_):"
        $volume = Get-Volume -DriveLetter $_ -ErrorAction SilentlyContinue
        if ($volume -and $volume.FileSystemLabel -notlike "Recovery Image*") {
            Get-BitLockerVolume -MountPoint $driveLetter -ErrorAction SilentlyContinue | 
            Where-Object { $_.VolumeStatus -eq "FullyDecrypted" }
            $driveLetter
        }
    } 
    #-ErrorAction SilentlyContinue

 Write-Output "   $IsDecrypted"
Write-Output "# Step 1 - TPM check and initialization"
if ($WindowsVer -and $TPMEnabled.IsEnabled_InitialValue -and $TPMReady -and $IsDecrypted) {
    Initialize-Tpm -AllowClear -AllowPhysicalPresence #-ErrorAction SilentlyContinue
   
   }
   
    Write-Output " # Step 3 - Enabling BitLocker on the system drive"
    if ($BitLockerReadyDriveSystem -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "FullyDecrypted")) {
        Add-BitLockerKeyProtector -MountPoint $BitLockerReadyDriveSystem -TpmProtector
        Enable-BitLocker -MountPoint $BitLockerReadyDriveSystem.mountpoint -RecoveryPasswordProtector #-ErrorAction SilentlyContinue -SkipHardwareTest
    
    }   


    Write-Output " # Step 3.5 - proverka"

while ($true) {
    # Poluchaem informatsiyu o statuse BitLocker
    

     $bitLockerStatus = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue

    # Proveryaem, yavlyaetsya li status "FullyEncrypted"
    if ($bitLockerStatus.VolumeStatus -eq "FullyEncrypted") {
        Write-Host "Disk polnostyu zashifrovan. Prodolzhenie vypolneniya skripta..."
        break  #Vykhod iz tsikla, esli status "FullyEncrypted"
    } else {
        Write-Host "Disk ne polnostyu zashifrovan. Povtornaya proverka cherez 10 sekund..."
        Start-Sleep -Seconds 100  # Ozhidanie 100 sekund pered sleduyushchey proverkoy
    }
}

# Dalneyshiy kod skripta, kotoryy vypolnyaetsya posle uspeshnoy proverki
Write-Host "Prodolzhenie vypolneniya skripta..."

        start-sleep -Seconds 5
        Write-Output " Step 4 - Enabling BitLocker on other drives"
        #$BitLockerReadyDriveSystem = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
if ($BitLockerDecrypted -and ($BitLockerReadyDriveSystem.VolumeStatus -eq "EncryptionInProgress" -or $BitLockerReadyDriveSystem.VolumeStatus -eq "FullyEncrypted")) {
            foreach ($lw in $BitLockerDecrypted.mountpoint) {
                
                
                Write-Output "Step 4 $lw"
               
                Enable-BitLocker -MountPoint $lw -RecoveryPasswordProtector # -ErrorAction SilentlyContinue
                Enable-BitLockerAutoUnlock -MountPoint $lw
            }
        }



        Write-Output " Step 5 - Backing up recovery keys to AD"
        $BLVS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
        if ($BLVS) {
            ForEach ($BLV in $BLVS) {
                $Key = $BLV | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
                ForEach ($obj in $key) { 
                    Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorID $obj.KeyProtectorId
                    Write-Output "$BLV.MountPoint"
                    Write-Output "$Key"
                }
            }
        }
   # }
#}
Write-Output " Step 6 - Backing up recovery keys to the server"
$BLKS = Get-BitLockerVolume | Where-Object { $_.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } } -ErrorAction SilentlyContinue
if ($BLKS) {
    ForEach ($BLK in $BLKS) {
        $txtKey = $BLK | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
        ForEach ($txtobj in $txtKey) { 
            $fileName = "\\SCCM01\log tmp$\BitLocker_Recovery_${computerName}_Key_$($txtobj.KeyProtectorId.replace('{','').replace('}','')).txt"
            if (-Not (Test-Path $fileName)) {
                (Get-BitLockerVolume -MountPoint $BLK.MountPoint) | 
                Select-Object -Property MountPoint -ExpandProperty KeyProtector | 
                Format-List > $fileName
            } else {
                Write-Output "File already exists: $fileName. Skipping write."
            }
        }
    }
}
# End logging
Stop-Transcript

 

Скрипт генерит логи в \\shara\log tmp$\temp\

 

Сделал через gpo scheduler tasks

 

Запуск C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

-ExecutionPolicy Bypass -File “\\tcell.tj\Startup\bitlock.ps1”

 

 

Логи