bitlocker_enable_superops.ps1

Enables BitLocker on the OS drive using TPM and Recovery Password protectors with SuperOps integration.

Overview

Enables BitLocker on the OS drive using TPM and Recovery Password protectors. Ensures protectors are not duplicated, prints recovery key to console for RMM log capture, and syncs the recovery key to SuperOps custom fields.

Purpose

Automates BitLocker enablement for Windows systems deployed through SuperOps RMM. The script configures encryption with industry-standard settings, manages TPM and recovery password protectors, and securely stores recovery keys in SuperOps custom fields for centralized management and disaster recovery.

Prerequisites

PowerShell 5.1 or later
Windows 10/11 Pro or Enterprise
BitLocker feature enabled
Administrator privileges required
SuperOps module available via $SuperOpsModule

Configuration

Required Inputs

$SuperOpsModule - Path to SuperOps module
- Injected by RMM platform
- Required for custom field synchronization
$Drive - Target drive for BitLocker
- Default: 'C:'
- Must be a valid system drive
$Force - Force recovery key rotation
- Default: $true
- Set to $false to preserve existing recovery keys

Settings

Encryption Method: XTS-AES 256 (industry standard)
Used Space Only: $true (faster encryption, only encrypts used space)
Skip Hardware Test: $true (no reboot required to start encryption)

Behavior

Validates administrative privileges and SuperOps module
Ensures BDESVC (BitLocker Service) is running and set to Automatic
Checks TPM status and adds TPM protector if available
Rotates Recovery Password protector when Force=$true
Initiates BitLocker encryption with configured settings
Retrieves and displays recovery key
Syncs recovery key ID and password to SuperOps custom fields:
- "BitLocker Recovery Key ID"
- "BitLocker Recovery Password"

Security Notes

Recovery Password is printed to console (captured by RMM logs)
Recovery Password is synced to SuperOps custom fields
No local files or transcripts are created
Administrative privileges required (script will fail if not elevated)

Exit Codes

0: Success - BitLocker enabled and key synced
1: Failure - Prerequisites, validation, or cmdlet errors

Example Output

[ INPUT VALIDATION ]
--------------------------------------------------------------
SuperOpsModule   : C:\Program Files\SuperOps\Modules\SuperOps.psm1
Drive            : C:
Force            : True
Admin Privileges : Confirmed

[ PRECHECK ]
--------------------------------------------------------------
BDESVC Status    : Running
TPM Present      : True
TPM Ready        : True
Current Status   : FullyDecrypted

[ CONFIGURE PROTECTORS ]
--------------------------------------------------------------
Removing 1 existing RecoveryPassword protector(s)
Removed old protector : {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
Added new RecoveryPassword protector
Recovery Key ID  : {YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}
TPM protector already present

[ ENABLE ENCRYPTION ]
--------------------------------------------------------------
Encryption already active - skipping enable
Volume Status    : FullyEncrypted

[ RECOVERY KEY ]
--------------------------------------------------------------
Recovery Key ID  : {YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}
Recovery Password:
------------------------------------------------------------
123456-789012-345678-901234-567890-123456-789012-345678
------------------------------------------------------------

[ SUPEROPS SYNC ]
--------------------------------------------------------------
Sent BitLocker Recovery Key ID to SuperOps
Sent BitLocker Recovery Password to SuperOps
Custom fields synchronized

[ FINAL STATUS ]
--------------------------------------------------------------
Result           : SUCCESS
BitLocker enablement completed

[ SCRIPT COMPLETED ]
--------------------------------------------------------------

Version History

2025-11-29 v1.1.0 - Refactored to full Style A compliance with SuperOps integration, improved error handling, CIM over WMI, removed status prefixes, and cleaner section organization
2025-09-29 v1.0.0 - Initial Style A implementation with hardcoded inputs

Links

View Script Source
Scripts - Back to script index

bitlocker_enable_superops.ps1

bitlocker_enable_superops.ps1

Overview

Purpose

Prerequisites

Configuration

Required Inputs

Settings

Behavior

Security Notes

Exit Codes

Example Output

Version History

Links

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!