Auto-commit: 2025-10-31 08:58:35

2025-10-31 08:58:36 +01:00
parent 7d94414992
commit 7cc3011354
1088 changed files with 193455 additions and 0 deletions
--- a/Windows-ActivateBitlocker/EnableBitlocker.ps1
+++ b/Windows-ActivateBitlocker/EnableBitlocker.ps1
@@ -0,0 +1,212 @@
+
+
+Function Enable-TPM_Dell {
+	param(
+        [string] $BiosPassword = ""
+    )	
+	
+	$DellModulePath = "${env:ProgramFiles}\WindowsPowerShell\Modules\DellBIOSProvider"
+	if (test-path $DellModulePath) {
+		write-host "PASS"
+		import-module DellBIOSProvider
+		If ($BiosPassword -eq "") { 
+			Set-Item -Path DellSmbios:\TpmSecurity\TpmSecurity "Enabled"
+		} Else {
+			Set-Item -Path DellSmbios:\TpmSecurity\TpmSecurity "Enabled" -Password $BiosPassword
+		}
+	} Else {
+		Write-Error "DellBIOSProvider Module Not Exist..."
+	}
+}
+
+Function Enable-TPM_HP {
+  $BiosInfo  = Get-WmiObject -Namespace root/hp/instrumentedBIOS -Class hp_biosEnumeration
+  $BiosSetup = Get-WmiObject -Namespace root/hp/instrumentedBIOS -class hp_biossettinginterface
+
+	foreach ($Conf in $BiosInfo) {
+		$Param = $conf.Name
+		If ($Param -like "*TPM Device*") {
+			Write-host "$Param"
+			$BiosSetup.SetBIOSSetting($Param,'Enable')
+		}
+	}
+}
+
+Function Test-UEFI {
+
+        <#
+        .Synopsis
+           Determines underlying firmware (BIOS) type and returns True for UEFI or False for legacy BIOS.
+        .DESCRIPTION
+           This function uses a complied Win32 API call to determine the underlying system firmware type.
+        .EXAMPLE
+           If (IsUEFI) { # System is running UEFI firmware... }
+        .OUTPUTS
+           [Bool] True = UEFI Firmware; False = Legacy BIOS
+        .FUNCTIONALITY
+           Determines underlying system firmware type
+        #>
+
+        [OutputType([Bool])]
+        Param ()
+
+Add-Type -Language CSharp -TypeDefinition @'
+
+    using System;
+    using System.Runtime.InteropServices;
+
+    public class CheckUEFI
+    {
+        [DllImport("kernel32.dll", SetLastError=true)]
+        static extern UInt32 
+        GetFirmwareEnvironmentVariableA(string lpName, string lpGuid, IntPtr pBuffer, UInt32 nSize);
+
+        const int ERROR_INVALID_FUNCTION = 1; 
+
+        public static bool IsUEFI()
+        {
+            // Try to call the GetFirmwareEnvironmentVariable API.  This is invalid on legacy BIOS.
+
+            GetFirmwareEnvironmentVariableA("","{00000000-0000-0000-0000-000000000000}",IntPtr.Zero,0);
+
+            if (Marshal.GetLastWin32Error() == ERROR_INVALID_FUNCTION)
+
+                return false;     // API not supported; this is a legacy BIOS
+
+            else
+
+                return true;      // API error (expected) but call is supported.  This is UEFI.
+        }
+    }
+'@
+
+
+    [CheckUEFI]::IsUEFI()
+}
+
+
+
+Function Get-IsLaptop {
+    $isLaptop = $false
+    if(Get-WmiObject -Class win32_systemenclosure | Where-Object { $_.chassistypes -eq 8 -or $_.chassistypes -eq 9 -or $_.chassistypes -eq 10 -or $_.chassistypes -eq 14 -or $_.chassistypes -eq 30}) { $isLaptop = $true }
+    Return $isLaptop
+}
+
+Function Get-PendingReboot {
+	$isReboot = $False
+	if (Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired") { $isReboot = $True }
+	if (Test-Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations")       { $isReboot = $True }
+	if (Test-Path "HKLM:\SOFTWARE\WOW6432Node\LANDesk\managementsuite\WinClient\VulscanReboot")               { $isReboot = $True }
+	if (Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending")  { $isReboot = $True }
+	Return $isReboot
+}
+
+
+# Exit Code 
+# 20200 => Puce TPM
+
+# ******************** Get Info ***************************
+write-host "----- Get TPM bios info"
+$Manufacturer = (Get-WmiObject -Class Win32_ComputerSystem).Manufacturer
+if ((Get-tpm).TpmReady -eq $False) {
+	write-host "---------- TPM Off"
+	If ($Manufacturer -like "*Dell*") { Enable-TPM_Dell } 
+	If ($Manufacturer -like "*HP*")   { Enable-TPM_HP   } 
+} Else { write-host "---------- TPM On"}
+if ((Get-tpm).TpmReady -eq $False) { 
+	Write-Error "Puce TPM not enable ..."
+	exit 20200
+}
+
+# ******************** Get Info ***************************
+write-host "----- Get bitlocker info"
+$StateC = (Get-BitLockerVolume -MountPoint "C:").VolumeStatus
+If (test-path "D:") { $StateD = (Get-BitLockerVolume -MountPoint "D:").VolumeStatus } Else { $StateD = "NotExist" }
+write-host "---------- C: $StateC"
+write-host "---------- D: $StateD"
+
+# ******************** Get Info ***************************
+write-host "----- Get pendingRebbot"
+If (Get-PendingReboot -eq $false) { 
+	write-host "---------- OK"
+} Else { 
+	Write-Error "Reboot Pending"
+}
+
+# ******************** Get Info ***************************
+write-host "----- Get UEFI"
+If (Test-UEFI -eq $True) { 
+	write-host "---------- OK"
+} Else { 
+	Write-Error "Legacy mode enabled"
+}
+
+
+
+# ******************** Wait or Not Encrypt **********************
+If (test-path "d:") {
+	# il faut attendre le cryptage du C pour initialisr le cryptage du D
+	$NeedWait = $true
+} ELse {
+	$NeedWait = $false
+}
+
+
+# ******************** Encrypt Volume ***************************
+if (((Get-tpm).TpmReady -eq $True) -and (Test-UEFI -eq $True) -and (Get-PendingReboot -eq $false)) {
+	# ******************* C drive *******************************
+	# Encrypt volume C
+	If ($StateC -eq "FullyDecrypted") {
+		Write-host "Enable Bitlocker on C Drive"
+		add-bitlockerKeyProtector -mountPoint "C:" -TpmProtector
+		Enable-BitLocker -mountPoint "C:" -EncryptionMethod XtsAes128 -RecoveryPasswordProtector -SkipHardwareTest -ErrorAction SilentlyContinue
+	}	
+	# Vait Encrypt finalize
+	if ($StateC -ne "FullyEncrypted") { Start-Sleep -Seconds 10 }
+	
+	# Si j'ai un D il faut que le cryptage du c soit Finalisé
+	$Loop = $NeedWait
+	while($Loop){
+		$StateC = (Get-BitLockerVolume -MountPoint "C:").VolumeStatus
+		if ($StateC -eq "FullyEncrypted") { 
+			$Loop = $false 
+		} Else {
+			Write-host "Wait bitlocker in progress"
+			Start-Sleep -Seconds 10
+		}
+	}
+	# Force Backup Key in AD
+	Write-host "Backup Key in AD"
+	$BLV = Get-BitLockerVolume   -MountPoint "C:"
+	Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
+
+
+	# ******************* D drive *******************************
+	If (test-path "D:") { 
+		$StateC = (Get-BitLockerVolume -MountPoint "C:").VolumeStatus
+		$StateD = (Get-BitLockerVolume -MountPoint "D:").VolumeStatus
+		
+		# C need is fully encrypted for start encrypt volume D
+		if (($StateC -eq "FullyEncrypted") -and ($StateD -ne "FullyEncrypted")) { 
+			Write-host "Enable Bitlocker on D Drive"
+            Add-bitlockerKeyProtector  -mountPoint "d:" -RecoveryPasswordProtector
+            Enable-BitLocker           -mountPoint "d:" -EncryptionMethod XtsAes128 -RecoveryPasswordProtector -SkipHardwareTest
+            Enable-BitLockerAutoUnlock -MountPoint "d:" 
+			
+			# Vait Encrypt finalize
+			if ($StateD -ne "FullyEncrypted") { Start-Sleep -Seconds 10 }
+			$Loop = $NeedWait
+			while($Loop){
+				$StateD = (Get-BitLockerVolume -MountPoint "D:").VolumeStatus
+				if ($StateD -eq "FullyEncrypted") { 
+					$Loop = $false 
+				} Else {
+					Write-host "Wait bitlocker in progress"
+					Start-Sleep -Seconds 10
+				}
+			}	
+		
+		}	
+	}
+}
+