############################################
###Eject all Media before bitlocker	 ###
############################################

$volumes = get-wmiobject -Class Win32_Volume | where{$_.drivetype -eq 'CD Drive'}  
foreach($volume in $volumes){
$ejectCmd = New-Object -comObject Shell.Application
$ejectCmd.NameSpace(17).ParseName($volume.driveletter).InvokeVerb("Eject")
} 

########################################
#  create bitlocker encoded command ###
########################################
$content = "JABCAEwAaQBuAGYAbwAgAD0AIABHAGUAdAAtAEIAaQB0AGwAbwBjAGsAZQByAHYAbwBsAHUAbQBlAAoAaQBmACgAJABCAEwAaQBuAGYAbwAuAEUAbgBjAHIAeQBwAHQAaQBvAG4AUABlAHIAYwBlAG4AdABhAGcAZQAgAC0AbgBlACAAJwAxADAAMAAnACAALQBhAG4AZAAgACQAQgBMAGkAbgBmAG8ALgBFAG4AYwByAHkAcAB0AGkAbwBuAFAAZQByAGMAZQBuAHQAYQBnAGUAIAAtAG4AZQAgACcAMAAnACkAewAKAFIAZQBzAHUAbQBlAC0AQgBpAHQATABvAGMAawBlAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiAAoAJABCAEwAVgAgAD0AIABHAGUAdAAtAEIAaQB0AEwAbwBjAGsAZQByAFYAbwBsAHUAbQBlACAALQBNAG8AdQBuAHQAUABvAGkAbgB0ACAAIgBDADoAIgAgAHwAIABzAGUAbABlAGMAdAAgACoACgBCAGEAYwBrAHUAcABUAG8AQQBBAEQALQBCAGkAdABMAG8AYwBrAGUAcgBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgAgAC0ATQBvAHUAbgB0AFAAbwBpAG4AdAAgACIAQwA6ACIAIAAtAEsAZQB5AFAAcgBvAHQAZQBjAHQAbwByAEkAZAAgACQAQgBMAFYALgBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgBbADEAXQAuAEsAZQB5AFAAcgBvAHQAZQBjAHQAbwByAEkAZAAKAH0ACgBpAGYAKAAkAEIATABpAG4AZgBvAC4AVgBvAGwAdQBtAGUAUwB0AGEAdAB1AHMAIAAtAGUAcQAgACcARgB1AGwAbAB5AEUAbgBjAHIAeQBwAHQAZQBkACcAIAAtAGEAbgBkACAAJABCAEwAaQBuAGYAbwAuAFAAcgBvAHQAZQBjAHQAaQBvAG4AUwB0AGEAdAB1AHMAIAAtAGUAcQAgACcATwBmAGYAJwApAHsACgBSAGUAcwB1AG0AZQAtAEIAaQB0AEwAbwBjAGsAZQByACAALQBNAG8AdQBuAHQAUABvAGkAbgB0ACAAIgBDADoAIgAKACQAQgBMAFYAIAA9ACAARwBlAHQALQBCAGkAdABMAG8AYwBrAGUAcgBWAG8AbAB1AG0AZQAgAC0ATQBvAHUAbgB0AFAAbwBpAG4AdAAgACIAQwA6ACIAIAB8ACAAcwBlAGwAZQBjAHQAIAAqAAoAQgBhAGMAawB1AHAAVABvAEEAQQBEAC0AQgBpAHQATABvAGMAawBlAHIASwBlAHkAUAByAG8AdABlAGMAdABvAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgBJAGQAIAAkAEIATABWAC4ASwBlAHkAUAByAG8AdABlAGMAdABvAHIAWwAxAF0ALgBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgBJAGQACgB9AAoAaQBmACgAJABCAEwAaQBuAGYAbwAuAEUAbgBjAHIAeQBwAHQAaQBvAG4AUABlAHIAYwBlAG4AdABhAGcAZQAgAC0AZQBxACAAJwAwACcAKQB7AAoARQBuAGEAYgBsAGUALQBCAGkAdABMAG8AYwBrAGUAcgAgAC0ATQBvAHUAbgB0AFAAbwBpAG4AdAAgACIAQwA6ACIAIAAtAEUAbgBjAHIAeQBwAHQAaQBvAG4ATQBlAHQAaABvAGQAIABYAHQAcwBBAGUAcwAyADUANgAgAC0AVQBzAGUAZABTAHAAYQBjAGUATwBuAGwAeQAgAC0AUwBrAGkAcABIAGEAcgBkAHcAYQByAGUAVABlAHMAdAAgAC0AUgBlAGMAbwB2AGUAcgB5AFAAYQBzAHMAdwBvAHIAZABQAHIAbwB0AGUAYwB0AG8AcgAKACQAQgBMAFYAIAA9ACAARwBlAHQALQBCAGkAdABMAG8AYwBrAGUAcgBWAG8AbAB1AG0AZQAgAC0ATQBvAHUAbgB0AFAAbwBpAG4AdAAgACIAQwA6ACIAIAB8ACAAcwBlAGwAZQBjAHQAIAAqAAoAQgBhAGMAawB1AHAAVABvAEEAQQBEAC0AQgBpAHQATABvAGMAawBlAHIASwBlAHkAUAByAG8AdABlAGMAdABvAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgBJAGQAIAAkAEIATABWAC4ASwBlAHkAUAByAG8AdABlAGMAdABvAHIAWwAxAF0ALgBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgBJAGQACgB9AAoAaQBmACgAJABCAEwAaQBuAGYAbwAuAEUAbgBjAHIAeQBwAHQAaQBvAG4AUABlAHIAYwBlAG4AdABhAGcAZQAgAC0AZQBxACAAJwAxADAAMAAnACkAewAKACQAQgBMAFYAIAA9ACAARwBlAHQALQBCAGkAdABMAG8AYwBrAGUAcgBWAG8AbAB1AG0AZQAgAC0ATQBvAHUAbgB0AFAAbwBpAG4AdAAgACIAQwA6ACIAIAB8ACAAcwBlAGwAZQBjAHQAIAAqAAoAQgBhAGMAawB1AHAAVABvAEEAQQBEAC0AQgBpAHQATABvAGMAawBlAHIASwBlAHkAUAByAG8AdABlAGMAdABvAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgBJAGQAIAAkAEIATABWAC4ASwBlAHkAUAByAG8AdABlAGMAdABvAHIAWwAxAF0ALgBLAGUAeQBQAHIAbwB0AGUAYwB0AG8AcgBJAGQACgB9AA=="



###########################################################
# register script as scheduled task to run at each logon  #
###########################################################

$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$triggers = @()
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -EncodedCommand $content"
Register-ScheduledTask -TaskName "EnableBitlocker" -Trigger $Time -User $User -Action $Action -Force

################################
###Create Bitlocker Policies ###
################################
$BitLockerRegLoc = 'HKLM:\SOFTWARE\Policies\Microsoft'
if (Test-Path "$BitLockerRegLoc\FVE")
{
  Write-Verbose '$BitLockerRegLoc\FVE Key already exists' -Verbose
}else
{
New-Item -Path "$BitLockerRegLoc" -Name 'FVE'
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'ActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'RequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSManageDRA' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecovery' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVManageDRA' -Value '00000000' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryPassword' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRecoveryKey' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVRequireActiveDirectoryBackup' -Value '00000001' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'OSActiveDirectoryInfoToStore' -Value '00000002' -PropertyType DWORD
New-ItemProperty -Path "$BitLockerRegLoc\FVE" -Name 'FDVActiveDirectoryInfoToStore' -Value '00000002' -PropertyType DWORD
}


################################
###Start bitlocker encryption###
################################

Start-ScheduledTask -TaskName "EnableBitlocker"

while ($waitingFor = Get-BitLockerVolume | Where-Object VolumeStatus -ne FullyEncrypted) {
    # Print list of in-progress volumes to the screen, sleep
    $waitingFor |Format-Table MountPoint,VolumeStatus,EncryptionPercentage
    Start-Sleep -Seconds 10
}

if($BLinfo.EncryptionPercentage -eq '100'){
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}