We can use PowerShell to enable Bitlocker on domain joined Windows 10 machines. By using PowerShell for this task we can deploy it to multiple machines at ones and in the meantime store the recover password in the Active Directory.
How To enable Bitlocker with PowerShell
With the use of te BitLocker Windows Powershell cmdlets we can, for example, encrypt the operating system volumes and set different protectors. To just enable BitLocker with the TPM protector we can use the following command:
To save some time, you don’t need to encrypt to entire volume. Just encrypting the used space is enough. When new data is added, it will be encrypted immediately. The command below will encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory.
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
Using a pin for unlock
If you want to protect your device with a Pin before booting, then you can use the TPMandPinProtector option. To do so, we first need to convert the pin to a secure string:
$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
Storing the recovery key
Besides the Active Directory, you can also store the recovery key on a specified path.
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector