REM Enable Bitlocker encryption with a user-supplied password REM and optionally reboot the computer immediately REM Author: emptythevoid REM Target: Windows 10, 11 REM MORE RESEARCH REQUIRED REM ==INFO======================================================================================== REM If the drive is already encrypted with a protector (lke TPM) REM it will delete all protectors and substitute our own new password REM without needing to re-encrypt. REM If the drive doesn't have bitlocker enabled, it will do so with the new password REM and take effect on next reboot (which you can optionally enable at the end) REM Note #1: This will likely fail if the drive is currently in the process of encryption. REM Note #2 If the target computer is a tablet (aka "slab"), Windows will disallow REM preboot authentication options that might require a keyboard. To override this, REM you have to set a local group policy. This might be possible to do by editing the REM registry directly, but since Windows specifically complains about Group Policy, REM I've encoded a Registry.pol below that you can optionally deploy. REM It will create a file in C:\Windows\System32\GroupPolicy\Machine REM which should take effect immediately. REM This Registry.pol enables these two policy values: REM Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\ Enable use of Bitlocker authentication requiring preboot keyboard input on slates REM Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Open the key Require additional authentication at startup REM ==Launch command prompt as Admin using GUI + X =============================================== REM ==NOTE that this brings up a Powershell window, not cmd.exe=================================== REM ==This method may be more reliable since GUI r can sometimes lose focus on open=============== GUI x DELAY 200 STRING A DELAY 1000 ALT y DELAY 3000 REM ==Optional - local group policy to allow password protection on tablets======================== REM ==Simply copying the registry.pol file is not sufficient. REM STRING $folderpath = [Environment]::GetFolderPath("C:\Windows\System32\GroupPolicy\Machine"); REM STRING $filename = $folderpath+"\Registry.pol"; STRING mkdir C:\windows\system32\grouppolicy\machine DELAY 100 ENTER DELAY 100 STRING $filename = "C:\Windows\System32\GroupPolicy\Machine\Registry.pol"; STRING $b64="UFJlZwEAAABbAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwA STRING RgBWAEUAAAA7AE8AUwBFAG4AYQBiAGwAZQBQAHIAZQBiAG8AbwB0AEkAbgBwAHUAdABQAHIAbwB0AGUAYwB0AG8AcgBzAE8AbgB STRING TAGwAYQB0AGUAcwAAADsABAAAADsABAAAADsAAQAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAY STRING wByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBBAGQAdgBhAG4AYwBlAGQAUwB0AGEAcgB0AHUAcAAAADsABAAAADsABAAAADsAAQAAA STRING F0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBFAG4AYQBiAGwAZQ STRING BCAEQARQBXAGkAdABoAE4AbwBUAFAATQAAADsABAAAADsABAAAADsAAQAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAG STRING kAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQAAADsABAAAADsABAAAADsAAgAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8 STRING AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQBQAEkATgAAADsABAAAADsABAAAADsAAgAAAF0 STRING AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEYAVgBFAAAAOwBVAHMAZQBUAFAATQBLAGU STRING AeQAAADsABAAAADsABAAAADsAAgAAAF0AWwBTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEY STRING AVgBFAAAAOwBVAHMAZQBUAFAATQBLAGUAeQBQAEkATgAAADsABAAAADsABAAAADsAAgAAAF0A"; STRING $bytes = [Convert]::FromBase64String($b64); STRING [IO.File]::WriteAllBytes($filename, $bytes); DELAY 300 REM Create the GPT file. This is definitely required, but I don't know if it changes per machine STRING $filename = "C:\Windows\System32\GroupPolicy\gpt.ini"; STRING $b64="W0dlbmVyYWxdDQpnUENNYWNoaW5lRXh0ZW5zaW9uTmFtZXM9W3szNTM3OEVBQy02ODNGLTExRDItQTg5 STRING QS0wMEMwNEZCQkNGQTJ9e0QwMkIxRjcyLTM0MDctNDhBRS1CQTg4LUU4MjEzQzY3NjFGMX1dIA0KVmVyc2lvbj01DQo="; STRING $bytes = [Convert]::FromBase64String($b64); STRING [IO.File]::WriteAllBytes($filename, $bytes); DELAY 300 REM have to gpupdate. This will take an undetermined amount of time REM you may need to set this to trigger on a button press rather than a delay STRING gpupdate /force ENTER DELAY 10000 REM ==Remove existing keys, in case bitlocker is already enabled================================== STRING manage-bde -protectors -delete C: ENTER DELAY 1000 REM ==Clear out from messages, in case no protectors, just in case================================ ENTER DELAY 2000 REM ==Enable bitlocker on C: with password and skip hardware test================================= STRING manage-bde -on C: -skiphardwaretest ENTER DELAY 500 REM ==remove default TPM. We don't want this enabled.============================================= STRING manage-bde -protectors -delete C: ENTER DELAY 1000 REM ==Manually add password as a protector. SET YOUR PASSWORD HERE!!============================== REM ==MUST BE AT LEAST 8 CHARACTERS LONG OR ELSE IT WILL FAIL===================================== DELAY 1000 STRING manage-bde -protectors -add C: -password ENTER DELAY 1000 STRING yourpasswordhere ENTER DELAY 1000 STRING yourpasswordhere ENTER DELAY 3000 REM ==Force the protection to be enabled so that it engages at next reboot======================== STRING manage-bde -Protectors -Enable C: ENTER DELAY 2000 REM ==Optional - Reboot after a delay. Give you time to escape==================================== STRING shutdown /r /t 30 ENTER DELAY 2000 ENTER DELAY 500 REM ==Clear history of Windows Terminal==================================== ALT F7 DELAY 200 REM ==Enable this if you are doing a delayed reboot using traditional command prompt======================== REM ALT F4 REM ==Enable this if you are doing a delayed reboot using GUI x prompt====================================== STRING exit ENTER REM ==Optional - Clear run history - not needed if using GUI +X =================================== REM GUI r REM DELAY 500 REM STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" REM ENTER REM DELAY 300 REM ==Optional - reboot immediately to lock the computer========================================== REM STRING shutdown /r /t 0 REM ENTER