Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <#PSScriptInfo
- .VERSION 1.6
- .GUID f5187e3f-ed0a-4ce1-b438-d8f421619ca3
- .ORIGINAL AUTHOR Jan Van Meirvenne
- .MODIFIED BY Sooraj Rajagopalan, Paul Huijbregts & Pieter Wigleven
- .COPYRIGHT
- .TAGS Azure Intune Bitlocker
- .LICENSEURI
- .PROJECTURI
- .ICONURI
- .EXTERNALMODULEDEPENDENCIES
- .REQUIREDSCRIPTS
- .EXTERNALSCRIPTDEPENDENCIES
- .RELEASENOTES
- #>
- <#
- .DESCRIPTION
- Check whether BitLocker is Enabled, if not Enable Bitlocker on AAD Joined devices and store recovery info in AAD
- #>
- [cmdletbinding()]
- param(
- [Parameter()]
- [ValidateNotNullOrEmpty()]
- [string] $OSDrive = $env:SystemDrive
- )
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
- try
- {
- $bdeProtect = Get-BitLockerVolume $OSDrive | select -Property VolumeStatus
- if ($bdeProtect.VolumeStatus -eq "FullyDecrypted"){
- # Enable Bitlocker using TPM
- Enable-BitLocker -MountPoint $OSDrive -TpmProtector -ErrorAction Continue
- Enable-BitLocker -MountPoint $OSDrive -RecoveryPasswordProtector
- }
- #Check if we can use BackupToAAD-BitLockerKeyProtector commandlet
- $cmdName = "BackupToAAD-BitLockerKeyProtector"
- if (Get-Command $cmdName -ErrorAction SilentlyContinue){
- #BackupToAAD-BitLockerKeyProtector commandlet exists
- $BLV = Get-BitLockerVolume -MountPoint $OSDrive | select *
- BackupToAAD-BitLockerKeyProtector -MountPoint $OSDrive -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
- } else {
- # BackupToAAD-BitLockerKeyProtector commandlet not available, using other mechanisme
- # Get the AAD Machine Certificate
- $cert = dir Cert:\LocalMachine\My\ | where { $_.Issuer -match "CN=MS-Organization-Access" }
- # Obtain the AAD Device ID from the certificate
- $id = $cert.Subject.Replace("CN=","")
- # Get the tenant name from the registry
- $tenant = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\$($id)).UserEmail.Split('@')[1]
- # Generate the body to send to AAD containing the recovery information
- # Get the BitLocker key information from WMI
- (Get-BitLockerVolume -MountPoint $OSDrive).KeyProtector|?{$_.KeyProtectorType -eq 'RecoveryPassword'}|%{
- $key = $_
- write-verbose "kid : $($key.KeyProtectorId) key: $($key.RecoveryPassword)"
- $body = "{""key"":""$($key.RecoveryPassword)"",""kid"":""$($key.KeyProtectorId.replace('{','').Replace('}',''))"",""vol"":""OSV""}"
- # Create the URL to post the data to based on the tenant and device information
- $url = "https://enterpriseregistration.windows.net/manage/$tenant/device/$($id)?api-version=1.0"
- # Post the data to the URL and sign it with the AAD Machine Certificate
- $req = Invoke-WebRequest -Uri $url -Body $body -UseBasicParsing -Method Post -UseDefaultCredentials -Certificate $cert
- $req.RawContent
- }
- }
- #>
- } catch {
- write-error "Error while setting up AAD Bitlocker, make sure that you are AAD joined and are running the cmdlet as an admin: $_"
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement