Enable BitLocker remotely using PowerShell

Not my best script I’ll say that before we begin but it gets the job done. It is a simple script that is still a bit rough that allows you to enable BitLocker on a machine from the comfort of your own computer using PowerShell Remoting.

We used the script to test out a possible BitLocker development and maybe it can be of use to anyone reading this as well. It exports the key that BitLocker generates to unlock the laptop back to the computer that is running the script. As well as in the scripting window the output will show you to save this key on a save location.

<#
.SYNOPSIS
This script is used to enable an IMDS computer that has a TPM chip to enable BitLocker remotely and save the Recovery Key on a specified destination just in case

.DESCRIPTION
This script is used to enable an computer that has a TPM chip to enable BitLocker remotely and save the Recovery Key on a specified destination just in case.
It uses standard commands that can be found in PowerShell that are used to manage BitLocker. This first adds the Recovery Password Protector and then enables BitLocker
with TPM. It will export all key information from the remote computer back to the local machine on a specified destination path. It will remove the key on the remote computer
if the copy is done for security reasons. 

When first being enabled BitLocker requires you to restart the computer for a Hardware compatibility check and then starts the encryption process. A -Restart switch is 
implemented to do so if you like. 

TPM needs to be enabled in the BIOS / UEFI and a Group Policy needs to be set. 
Computer Configuration -> Windows Components -> BitLocker Drive Encryption -> Require addition authentication at startup -> Enabled

.EXAMPLE
.\Enable-BitLockerRemote.ps1 -ComputerName EXAMPLE -Credential Administrator -RecoveryDestination C:\Users\example\Desktop\ExportedKeys -Restart

.EXAMPLE
.\Enable-BitLockerRemote.ps1 -ComputerName EXAMPLE -Credential Administrator -RecoveryDestination C:\Users\example\Desktop\ExportedKeys

.LINK
https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/bitlocker/?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/bitlocker/add-bitlockerkeyprotector?view=win10-ps
https://community.spiceworks.com/topic/2016671-powershell-redirection-and-bitlocker
#>

[CmdletBinding()]
param
(
    [Parameter(Position=0,mandatory=$true)][string]$ComputerName,
    [Parameter(Position=1,mandatory=$true)][string]$RecoveryDestination,
    [switch]$Restart,
    [switch]$Popup,
    [Parameter(Position=2,mandatory=$true)][System.Management.Automation.PSCredential]$Credential
)

Write-Verbose "Attempting to create a session to $ComputerName"
$Session = New-PSSession $ComputerName -Credential $Credential

if (-Not ($Session))
{
    Write-Error "No session is made with the specified computer, please try again"
    Exit
}

Write-Verbose "Testing and/or creating the defined recovery destination"
if (-Not (Test-Path $RecoveryDestination))
{
    New-Item -Path $RecoveryDestination -ItemType Directory | Out-Null
}

if (-Not (Test-Path $RecoveryDestination))
{
    Write-Error "The RecoveryDestination does not exist, please try again"
    Exit
}

Write-Verbose "Enabling BitLocker with RecoveryPasswordProtector and TPM on $ComputerName"
Invoke-Command -Session $Session -ScriptBlock {
    [CmdletBinding()]Param($VerbosePreference)

    Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector | Out-Null
    Enable-BitLocker -MountPoint C: -TpmProtector

    (Get-BitLockerVolume -MountPoint C:).KeyProtector | Out-File "C:\ExportedKey.txt"
}

Write-Verbose "Copying RecoveryPassword of $ComputerName to your computer location $RecoveryDestination"
if (Test-Path ($RecoveryDestination + "$ComputerName.txt"))
{
    Remove-Item ($RecoveryDestination + "$ComputerName.txt")
}

Copy-Item "C:\ExportedKey.txt" -Destination ($RecoveryDestination + "$ComputerName.txt") -FromSession $Session -Force
Start-Sleep -Seconds 3

Write-Verbose "Removing the exported key on the $ComputerName for security"
if (Test-Path ($RecoveryDestination + "$ComputerName.txt"))
{
    Invoke-Command -Session $Session -ScriptBlock {
        [CmdletBinding()]Param($VerbosePreference)
    
       Remove-Item "C:\ExportedKey.txt" -Force
    }
}
else
{
    Write-Warning "The key on the remote system is not removed because it was unable to copy the key over to the destination. The key can be found on the remote system on C:\ExportedKey.txt"
}

if($Restart)
{
    Write-Verbose "Sending restart command to the $ComputerName"
    Invoke-Command -Session $Session -ScriptBlock {
        [CmdletBinding()]Param($VerbosePreference)
    
       Restart-Computer -Force
    }
}

if($Popup)
{
    Write-Verbose "Sending popup to the $ComputerName"
    Invoke-Command -Session $Session -ScriptBlock {
        [CmdletBinding()]Param($VerbosePreference)
    
       msg.exe * "Bitlocker has been enabled by the system administrator. Please restart the computer to start the Bitlocker processes. This message is part of a automated PowerShell script from the IT Department."
    }
}

Write-Verbose "Removing used PowerShell session"
Remove-PSSession $Session

Write-Verbose "Script has been completed"

Leave a Comment