Skip to main content

Enable BitLocker on Windows 10

By February 6, 2023June 27th, 2023No Comments

We can use PowerShell to enable Bitlocker on domain joined Windows 10 machines. By using PowerShell for this task we can deploy it to multiple machines at ones and in the meantime store the recover password in the Active Directory.

How To enable Bitlocker with PowerShell

The basic

With the use of te BitLocker Windows Powershell cmdlets we can, for example, encrypt the operating system volumes and set different protectors. To just enable BitLocker with the TPM protector we can use the following command:

1.  Enable-BitLocker C:

To save some time, you don’t need to encrypt to entire volume. Just encrypting the used space is enough. When new data is added, it will be encrypted immediately.  The command below will encrypt the used space only, skip the hardware test and store the recovery password in the Active Directory.

1.  Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector

Using a pin for unlock

If you want to protect your device with a Pin before booting, then you can use the TPMandPinProtector option. To do so, we first need to convert the pin to a secure string:

1.  $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
2.  Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Storing the recovery key

Besides the Active Directory, you can also store the recovery key on a specified path.

1.  Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector