Powershell Bitlocker Script

My client wants to implement a pin-less bitlocker strategy. We manage devices via EPO so typically, we simply deploy the microsoft native encryption. Right now, I have setup a group policy that stores bitlocker recovery key in active directory.

I need to create a script that will state if bitlocker recovery key is prompted for devices on the network, to pull the recovery key from active directory automatically without user interference.

Does such a script exist?

 

Please assist,

 

Francois Fannoh

Am I wrong or does the bitlocker recovery key prompt appear before Windows actually starts? If the answer is yes you will be probably out of luck because there is no Windows yet to start a Powershell.

To enable drive unlocking automatically upon bootup you can either:

  • store the required recovery key on an external device like a USB drive. If this is a VM, that external drive can be another (1GB) virtual disk (this can even unlock system/boot disk)
  • store the required recovery key in a TPM chip (standard config)

Absent a TPM chip, users will have to type in the 48 digit recovery key at boot time which can be obtained from AD if configured to be stored there (default) or from MBAM self-service web portal if configured