We can use PowerShell to enable Bitlocker on domain joined Windows 10 machines. By using PowerShell for this task we can deploy it to multiple machines at ones and in the meantime store the recover password in the Active Directory.
How To enable Bitlocker with PowerShell
The basic
With the use of te BitLocker Windows Powershell cmdlets we can, for example, encrypt the operating system volumes and set different protectors. To just enable BitLocker with the TPM protector we can use the following command:
Enable-BitLocker C:
To save some time, you don’t need to encrypt to entire volume. Just encrypting the used space is enough. When new data is added, it will be encrypted immediately. The command below will encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory.
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
Using a pin for unlock
If you want to protect your device with a Pin before booting, then you can use the TPMandPinProtector option. To do so, we first need to convert the pin to a secure string:
$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
Storing the recovery key
Besides the Active Directory, you can also store the recovery key on a specified path.
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector
Hi there, is there anyway I can get this to work on a network location that requires username and password?
You could try to give only domain administrator access to the folder and apply BitLocker on the computer when logged in as domain admin.
Hi, when I try to store the recovery key on a specified path, the file is not created. So I can disable BitLocker just like that. Do you know how I can fix this ? Thank you.
Should this work remotely through an invoke-command or remotely from an enter-pssession to the workstation? These work great if I am local on the machine but when I try remotely it complains about the “Active Directory Domain Services forest does not contain the required attributes…”
Rudy, does my domain functional level need to be at a certain level for this to store recovery passwords for W10 machines in AD?
If you are running Windows 2008 or newer you should be fine. If you are still on 2003, then you need to extend the schema to store the info. More info about it here; https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/cc722309(v=ws.10)