Description
If TPM is enabled on a system and you want to encrypt the system drive this script works great!
Source Code
@echo off
REM Manage-bde.exe -protectors -disable c:
set test /a = "qrz"
for /F "tokens=3 delims= " %%A in ('manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (
echo %%A
set test = %%A
if "%%A"=="None" goto :activate
)
rem goto end
:activate
echo in activate
for /F %%A in ('wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue ^| findstr "TRUE"') do (
if "%%A"=="TRUE" goto :bitlock
)
powershell Initialize-Tpm
:bitlock
:end
manage-bde -protectors -disable %systemdrive%
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
manage-bde -protectors -add %systemdrive% -RecoveryPassword
for /F "tokens=2 delims=: " %%A in ('manage-bde -protectors -get C: -type recoverypassword ^| findstr " ID:"') do (
echo %%A
manage-bde -protectors -adbackup %systemdrive% -id %%A
)
manage-bde -protectors -enable %systemdrive%
manage-bde -on %systemdrive% -SkipHardwareTest
rem \\lib-fs\lib-gpo\bitlockerid.bat
rem manage-bde -status %systemdrive%
4 Spice ups
I’ve been looking for this for 3 days 
Thanks!
Hey. This is too easy. Huge thanks for writing this up.
Hi, I recently used this on my site and applied it via group policy to some test users, the script ran but only encrypted the hard drives it didn’t upload the keys to Azure. Any idea why?
Hey Spicehead-d162, If I am reading manage-bde protectors | Microsoft Learn correctly, adding manage-bde -protectors -aadbackup %systemdrive% -id %%A would save the keys to Azure. I haven’t tested it yet…
