Enable BitLocker on Windows 10

We can use PowerShell to enable Bitlocker on domain joined Windows 10 machines. By using PowerShell for this task we can deploy it to multiple machines at ones and in the meantime store the recover password in the Active Directory.

How To enable Bitlocker with PowerShell

The basic

With the use of te BitLocker Windows Powershell cmdlets we can, for example, encrypt the operating system volumes and set different protectors. To just enable BitLocker with the TPM protector we can use the following command:

Enable-BitLocker C:

To save some time, you don’t need to encrypt to entire volume. Just encrypting the used space is enough. When new data is added, it will be encrypted immediately.  The command below will encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory.

Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector

Using a pin for unlock

If you want to protect your device with a Pin before booting, then you can use the TPMandPinProtector option. To do so, we first need to convert the pin to a secure string:

$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Storing the recovery key

Besides the Active Directory, you can also store the recovery key on a specified path.

Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector

6 thoughts on “Enable BitLocker on Windows 10”

  1. Hi, when I try to store the recovery key on a specified path, the file is not created. So I can disable BitLocker just like that. Do you know how I can fix this ? Thank you.

  2. Should this work remotely through an invoke-command or remotely from an enter-pssession to the workstation? These work great if I am local on the machine but when I try remotely it complains about the “Active Directory Domain Services forest does not contain the required attributes…”

  3. Rudy, does my domain functional level need to be at a certain level for this to store recovery passwords for W10 machines in AD?

Leave a Comment