Setting up BitLocker on Multiple Partitions

This can setup BitLocker on C: drive and D: drive.

I am using E: drive as my recovery partition, and a temporary holding place for the keys. The keys should be deleted, moved, or encrypted once the encryption process is complete (for security reasons). You really want to separate the keys from the drive…just in case your computer falls into the wrong hands, or an emergency recovery is necessary due to a malfunctioning hard drive.

Note, this script should also be compiled after testing.

Script

rem this file should be named bitlocker.cmd and stored in c:\bittemp
rem launch file to begin enabling bitlocker

@echo off
color 0a
title Hard Drive Setup – Enable BitLocker
if exist c:\bittemp\token.txt goto :ENABLE

REM THIS COULD EVENTUALLY BE ENCRYPTED
set UName=administrator
set PWord=YourPasswordHere
set FName=bitlocker.cmd

md E:\boot\bitlocker

:TPM
cls
echo Disabling UAC…
REM DISABLES UAC
\\%computername%\c$\windows\system32\reg.exe ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v EnableLUA /t REG_DWORD /d 0 /f
\\%computername%\c$\windows\system32\reg.exe ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul

rem Enable Autologin
cls
echo Disabling UAC…done
echo Enabling Autologin…
echo.
\\%computername%\c$\windows\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce” /v bitlocker /t REG_SZ /d C:\bittemp\%FName% /f

REM ENABLE AUTOLOGIN
\\%computername%\c$\windows\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AutoAdminLogon /d 1 /t REG_SZ /f
\\%computername%\c$\windows\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultUserName /d “%UName%” /t REG_SZ /f
\\%computername%\c$\windows\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultPassword /d “%PWord%” /t REG_SZ /f
\\%computername%\c$\windows\system32\reg.exe delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v LegalNoticeCaption /f
\\%computername%\c$\windows\system32\reg.exe delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v LegalNoticeText /f
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul

cls
echo Disabling UAC…done
echo Enabling Autologin…done
echo Enabling TPM…
echo.
manage-bde -tpm -t
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul
echo done>c:\bittemp\token.txt
cls
echo Disabling UAC…done
echo Enabling Autologin…done
echo Enabling TPM…done
echo.
echo Restarting Computer…
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul
shutdown -r -f -t 3
goto:eof

:ENABLE
cls
echo Disabling UAC…done
echo Enabling Autologin…done
echo Enabling TPM…done
echo Enabling BitLocker for C: Systems drive…
echo.
\\%computername%\c$\windows\system32\ping.exe -n 60 127.0.0.1>nul
rem Enable Bitlocker on Data Drive
manage-bde -protectors -add c: -rp -rk E:\boot\bitlocker
manage-bde -on c: -s
manage-bde -protectors -get c: -type recoverypassword >e:\boot\bitlocker\c-drive.txt
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul

cls
echo Disabling UAC…done
echo Enabling Autologin…done
echo Enabling TPM…done
echo Enabling BitLocker for C: Systems drive…done
echo Enabling BitLocker for D: Data drive…
echo.
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul
manage-bde -protectors -add d: -rp -rk E:\boot\bitlocker
manage-bde -on d: -s
manage-bde -protectors -get d: -type recoverypassword>e:\boot\bitlocker\d-drive.txt
rem try copying to USB drive
if exist g: (
manage-bde -protectors -get d: -type recoverypassword>g:\d-drive.txt
)
rem set to autounlock on this computer
manage-bde -autounlock -enable d:
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul

REM DISABLE AUTOLOGIN
cls
echo Disabling UAC…done
echo Enabling Autologin…done
echo Enabling TPM…done
echo Enabling BitLocker for C: Systems drive…done
echo Enabling BitLocker for D: Data drive…done
echo Disabling Autologin…
\\%computername%\c$\windows\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AutoAdminLogon /d 0 /t REG_SZ /f
\\%computername%\c$\windows\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultUserName /d “” /t REG_SZ /f
\\%computername%\c$\windows\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultPassword /d “” /t REG_SZ /f
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul

REM ENABLES UAC
cls
echo Disabling UAC…done
echo Enabling Autologin…done
echo Enabling TPM…done
echo Enabling BitLocker for C: Systems drive…done
echo Enabling BitLocker for D: Data drive…done
echo Disabling Autologin…done
echo Enabling UAC…
\\%computername%\c$\windows\system32\reg.exe ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v EnableLUA /t REG_DWORD /d 1 /f
\\%computername%\c$\windows\system32\reg.exe ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul

cls
echo Disabling UAC…done
echo Enabling Autologin…done
echo Enabling TPM…done
echo Enabling BitLocker for C: Systems drive…done
echo Enabling BitLocker for D: Data drive…done
echo Disabling Autologin…done
echo Enabling UAC…done
echo.
echo Bitlocker was successfully enabled!
echo.
echo Restarting Computer…
\\%computername%\c$\windows\system32\ping.exe -n 4 127.0.0.1>nul
start “” shutdown -r -f -t 4
del /q c:\bittemp\token.txt
del /q c:\bittemp\%FName%
rd /q c:\bittemp
exit /b 0

email me