Skip to content
/ OZO-AD-Windows-Enable-BitLocker Public

Enables BitLocker on all local fixed volumes after verifying that the endpoint meets the BitLocker prerequisites and has successfully recorded a recovery password in Active Directory

onezeroone.dev

License

GPL-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

onezeroone-dev/OZO-AD-Windows-Enable-BitLocker

BranchesTags

Repository files navigation

OZ AD Windows Enable BitLocker Deployment, Installation, and Usage

Enables BitLocker on all local fixed volumes after verifying that the endpoint meets the BitLocker prerequisites and has successfully recorded a recovery password in Active Directory. This script is executed on the endpoint either manually or with an endpoint management tool like Intune or Tanium.

For guidance on understanding, configuring, and managing BitLocker in an Active Directory environment, please see GUIDE.md.

Prerequisites

This script requires the BitLocker and TrustedPlatformModule PowerShell modules which should be present on all recent Windows Education, Enterprise, and Pro editions.

Deployment

To use this script with an Endpoint Management (software deployment) tool, download the latest release and deploy according to the requirements of your chosen endpoint management tool. Alternatively, you could issue a command to your endpoints to install the script (as detailed in Installation, below) and then reference the script installation location in your endpoint management tool deployment command.

Installation

This script is published to PowerShell Gallery. Ensure your system is configured for this repository then execute the following in an Administrator PowerShell:

Install-Script ozo-ad-windows-enable-bitlocker

Usage

ozo-ad-windows-enable-bitlocker
     -GPOName <String>
    [-Restart]
    [-SkipSecureBootCheck]
Parameter Description
GPOName The name of the group policy containing the BitLocker settings. The script will proceed only if this GPO is applied.
Restart Restarts the computer after enabling BitLocker to perform the hardware test and begin encrypting.
SkipSecureBootCheck By default, the script will proceed only if Secure Boot is enabled, however, Secure Boot is not a strict requirement for enabling BitLocker. Specifying this parameter will allow the script to continue even if Secure Boot if off.

Examples

Example 1 - Endpoint Management Tool Deployment Command

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -File ozo-ad-windows-enable-bitlocker.ps1 -GPOName "OZO BitLocker Settings Policy" -SkipSecureBootCheck

Example 2 - Manual Execution in an Administrator PowerShell

ozo-ad-windows-enable-bitlocker -GPOName "All Workstations Settings" -Restart

Logging

Messages are written to the Windows Event Viewer One Zero One provider. When this provider is not available, messages are written to the Microsoft-Windows-PowerShell provider with Event ID 4100.

Acknowledgements

Special thanks to my employer, Sonic Healthcare USA, who supports the growth of my PowerShell skillset and enables me to contribute portions of my work product to the PowerShell community.

About

Enables BitLocker on all local fixed volumes after verifying that the endpoint meets the BitLocker prerequisites and has successfully recorded a recovery password in Active Directory

onezeroone.dev

Topics

ad active-directory bitlocker

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

Version 1.1.0 Latest
Jul 28, 2025
+ 1 release

Packages

No packages published

Languages