To use Bitlocker some mandatory settings must be respected:
- Operating system is Windows 10 with 64 Bit architecture
- Bitlocker is supported starting with Windows 10 IoT Enterprise 2019 LTSC
- fTPM is enabled in the BIOS
- BIOS Boot mode is UEFI
The sample checks the following settings:
- TwinCAT state is in CONFIG mode
- TwinCAT powershell module AdsApi is available
- Boot mode is UEFI or LEGACY
- OS architecture is 32 Bit or 64 Bit
- OS release id is supported (below 1809 is not supported)
- fTPM or FTPM is present
- fTPM or FTPM is ready
- Recovery partitions exist
- Bitlocker status state
FullyDecrypted The script goes on
EncryptionInProgress The script stops here because the encryption is in progress
DecryptionInProgress The script stops here because the decryption is in progress
FullyEncrypted The script stops here because the volume is already encrypted - Add Bitlocker Protectors: TpmProtector, RecoveryPasswordProtector
- Initialize TPM, add recovery partition if needed and enable Bitlocker
- Save Bitlocker KeyProtectors to defined target location $KeyProtectorLocation
In the sample it is "C:\Users\Administrator\Desktop\KeyProtector.txt"
Error Code Description:
- $Error_Success = 0
The script runs successfully - $Error_OsLegacy = 10
OS is LEGACY which is not supported - $Error_Os32Bit = 11
OS is 32Bit which is not supported - $Error_OsReleaseId = 12
OS ReleaseID is lower than 1809 which is not supported - $Error_TpmNotPreent = 20
TPM is not present - $Error_TpmNotReady = 21
TPM is not ready - $Error_BLDriveNotReady = 30
Bitlocker mountpoint does not exist - $Error_BLEncryptionInProgress = 31
Bitlocker Encryption is in progress - $Error_BLDecryptionInProgress = 32
Bitlocker Decryption is in progress - $Error_BLFullyEncrypted = 32
Bitlocker is already encrypted - $Error_TcSysPsExtensionMissing = 40
TwinCAT powershell module AdsApi is missing - $Error_TcSysStateRunning = 41
TwinCAT state is running