- Kubernetes DaemonSets - Wed, Sep 6 2023
- Static Pods in Kubernetes - Fri, Sep 1 2023
- Encrypt Kubernetes Secrets at rest - Mon, Aug 28 2023
In this article, you will learn about the BitLocker PowerShell module and how to manage BitLocker using PowerShell. This article does not cover the basics, so I am assuming you already know the basics of BitLocker and PowerShell.
BitLocker PowerShell module
Launch an elevated PowerShell console to follow along with this guide. To view the various commands offered by the BitLocker module, run the following command:
Get-Command -Module BitLocker
View various commands offered by the BitLocker PS module
If the above command does not produce any output, you're probably running it on a Windows Server OS. Note that BitLocker is installed by default on client operating systems, such as Windows 10 and Windows 11. However, if you want to use BitLocker on a Windows Server, you need to manually enable it using the following PowerShell command:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
Install the BitLocker feature on Windows Server using PowerShell
This command installs BitLocker (including all subfeatures and management tools) and then restarts the server to complete the installation.
Get information about a BitLocker volume
To get information about the volumes (or drives) that BitLocker drive encryption can protect on your computer, use the following command:
Get-BitLockerVolume
Get a list of volumes that can be protected with BitLocker using PowerShell
Get a list of volumes that can be protected with BitLocker using PowerShell
By default, the cmdlet shows mostly useful properties in a nice tabular format. When used without any parameters, it displays all the volumes. You can specify a particular volume using the -MountPoint parameter. For instance, to view the status of only the C: drive, use the following command:
Get-BitLockerVolume -MountPoint "C:"
Get the BitLocker status for a particular volume using PowerShell
Enable BitLocker
The Enable-BitLocker command is used to enable BitLocker drive encryption. Before using it, let's first have a look at the cmdlet:
- Volume: Specify a drive letter or a volume object that Get-BitLockerVolume will return.
- Key protector: Specify a key protector to encrypt the volume master key (VMK) stored on the disk. VMK encrypts the full volume encryption key (FVEK), which in turn encrypts the raw data. The following key protectors can be used:
- Trusted Platform Module (TPM) only: If only TPM is specified, BitLocker uses the TPM chip to protect the encryption key. The encrypted drive can be accessed as long as it remains connected to the system with the TPM chip. To use this key protector, use the -TpmProtector switch parameter. Note that a switch parameter doesn't require any value. To check whether your computer supports TPM, use the Get-Tpm command, as shown in the screenshot:
Check TPM availability on the computer using PowerShell
TPM + PIN: When TPM and a PIN are specified, BitLocker uses both to protect the encryption key. Use the -TpmAndPinProtector switch parameter to establish this key protector and specify a PIN as a secure string. You could use the ConvertTo-SecureString cmdlet to generate a secure string.
- TPM + Startup Key (USB drive): BitLocker uses both TPM and a startup key (a removable USB flash drive containing an external key) as key protectors to protect the encryption key. Use the -TpmAndStartupKeyProtector switch parameter to define this key protector.
- TPM + Startup Key + PIN: BitLocker uses TPM, a startup key, and a PIN as key protectors to protect the encryption key. To work with a combination of all these key protectors, use the -TpmAndPinAndStartupKeyProtector switch parameter.
- Startup Key: BitLocker uses a removable USB storage drive to protect the encryption key. For this key protector, use the -StartupKeyProtector switch parameter and the -StartupKeyPath parameter to specify the path of the key.
- Recovery Key: BitLocker uses a recovery key stored as a file to protect the encryption key. When you establish a startup key or a recovery key as a key protector, you must specify a path to store the key. To define this, use the -RecoveryKeyProtector switch along with the -RecoveryKeyPath parameter to specify a folder in which a randomly generated recovery key is stored.
- Password: BitLocker uses a password to protect the encryption key. The -PasswordProtector switch specifies this key protector, and the -Password parameter passes a secure string.
- Recovery Password: BitLocker uses a recovery password to protect the encryption key. To establish this key protector, use the -RecoveryPasswordProtector switch parameter. If you use this key protector without specifying a password, a random 48-digit recovery password will be generated automatically.
- AD Account: BitLocker uses an AD account to protect the encryption key.
The Enable-BitLocker cmdlet lets you specify only one combination from the aforementioned key protectors. But you could use the Add-BitLockerKeyProtector cmdlet to add more key protectors later on.
- Trusted Platform Module (TPM) only: If only TPM is specified, BitLocker uses the TPM chip to protect the encryption key. The encrypted drive can be accessed as long as it remains connected to the system with the TPM chip. To use this key protector, use the -TpmProtector switch parameter. Note that a switch parameter doesn't require any value. To check whether your computer supports TPM, use the Get-Tpm command, as shown in the screenshot:
- Encryption Method: By default, BitLocker uses XTS-AES-128, but you can specify the encryption method using the -EncryptionMethod parameter, which accepts values of Aes128, Aes256, XtsAes128, and XtsAes256.
- Used Space Only: By default, BitLocker encrypts the entire volume, including any unallocated space; this can be a time-consuming process for large volumes. To speed up the encryption process, you can use the -UsedSpaceOnly switch. The unallocated space remains unencrypted, but it is automatically encrypted as the data is stored.
- Hardware Encryption: By default, BitLocker uses software encryption but supports hardware encryption as well. You can use the -HardwareEncryption switch on supported disks. As per this security advisory, there are vulnerabilities in certain self-encrypting drives (SEDs), so Microsoft recommends using software-only encryption instead.
There are other parameters supported by the Enable-BitLocker cmdlet, but covering everything is not possible in a single post. If you're interested in learning all the parameters, use the Get-Help Enable-BitLocker -Detailed command.
Now let's take a look at how to enable BitLocker encryption with a PowerShell command.
$Pin = ConvertTo-SecureString "205020" -AsPlainText -Force Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly
The first command generates a secure string from a plain-text numeric PIN, and the second command defines TPM + PIN as key protectors. You will be prompted to restart the computer to run a hardware test.
Enable BitLocker on an OS volume using PowerShell
You could use the -SkipHardwareTest parameter to skip the hardware test, but it is not recommended. After the computer restarts, BitLocker will prompt you to type the PIN to start Windows.
BitLocker requires a PIN to start Windows
After login, the encryption process starts automatically. You can view the progress using the Get-BitLockerVolume command, as shown below:
Get BitLocker encryption status for a volume using PowerShell
The VolumeStatus and EncryptionPercentage columns show the current encryption progress.
USB flash drive as a recovery key protector
If you want to use a USB flash drive as a recovery key protector, use the following command:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -StartupKeyProtector -StartupKeyPath "E:" -UsedSpaceOnly -SkipHardwareTest
This command establishes the startup key (USB) as a key protector and specifies the path of a flash drive to store the BitLocker encryption key. The encryption key is stored with the .BEK file extension as a hidden system file, so you need to use the Get-ChildItem cmdlet with the -Force parameter, as shown in the screenshot:
Use a USB flash drive as a BitLocker key protector and view the recovery key using PowerShell
If you choose this option, you need to enable USB drives in the BIOS (or UEFI) settings and insert the USB every time the computer starts up. If you remove the USB drive, you will be prompted to insert it again. Even though this sounds secure, having only one key protector is risky and might render your system unusable if the USB flash drive is corrupt. Therefore, it is highly recommended to add an additional key protector, such as a password or a PIN. I will cover this in the next section.
Manage key protectors
As mentioned earlier, you will be able to define only one combination of key protectors with the Enable-BitLocker cmdlet. The Add-BitLockerKeyProtector cmdlet lets you add more key protectors to a BitLocker-encrypted volume.
Add a key protector
In the previous section, we used a startup key as the only key protector. Now, let's add a password as an additional protector using the following command:
$Password = ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force Add-BitLockerKeyProtector -MountPoint "C:" -PasswordProtector -Password $Password
Add a password as an additional key protector to a BitLocker encrypted volume using PowerShell
If you want to add a recovery key file as an additional key protector to an encrypted volume, use the following command:
Add-BitLockerKeyProtector -MountPoint "C" -RecoveryKeyProtector -RecoveryKeyPath "D:\"
Add a recovery key as an additional key protector to a BitLocker encrypted volume using PowerShell
The -RecoveryKeyPath parameter is used to specify a directory in which a randomly generated recovery key is stored. An external recovery key is now added as an additional key protector along with TPM + PIN.
Remove a key protector
To remove a key protector from a volume, you need to use the Remove-BitLockerKeyProtector cmdlet. To remove a key protector, you first have to determine its key protector ID. To do that, save the specific BitLocker volume in a variable and then call the KeyProtector property as follows:
$BVol = Get-BitLockerVolume -MountPoint "C" $Bvol.KeyProtector
Get the key protector ID for a volume using PowerShell
Once you have the ID, specify it to remove the key protector, as shown in the following command:
Remove-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId "{D5417E7D-CE03-40FB-A83C-7B7D3A190C3F}"
Alternatively, you could use the array index of the key protector to remove it, as shown in the following command:
Remove-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId $BVol.KeyProtector[1].KeyProtectorId
Remove the BitLocker key protector from a volume using PowerShell
Key protectors are stored as an array in the BitLocker volume object. By using the array index $BVol.KeyProtector[1], we can remove the appropriate key protector. Again, make sure you use the $BVol.KeyProtector command to find the key protector you want to remove.
Subscribe to 4sysops newsletter!
In my next post, I will explain how you can unlock, suspend, resume, and disable BitLocker with PowerShell.
Hello Surender Kumar
Well, I’m in a peculiar situation. I need to enable bitlocker for computers that do not have the TPM automatically and without user interaction, as I used this blog as a source.
First I had to create a policy of Configuration Profiles > Templates > Administrative Templates > Computer Configuration > Windows Components > BitLocker Drive Encryption > Operating System Drives and enabled the option “Require additional authentication at startup” and checked the checkbox “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)” to allow the computer to accept activating bitlocker on a computer without a TPM, then I created the script below:
$Pin = ConvertTo-SecureString “123456789” -AsPlainText -Force
Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly
However, it appears the error in Windows 11 “Enable-BitLocker : An external key or password protector is required to enable BitLocker on an operating system volume without a valid TPM.” when I try to run it in Powershell.
Do you have another idea on how to solve this problem or have you already encountered a scenario like this?
Hi alexander, you mentioned your PCs do not have TPM so you need to change your script to the following:
Let me know how it goes for you.
Currently you’re trying to use TPM and PIN protectors that aren’t supported on your PCs. Without TPM, your options are only limited to a password or an external key.
Hello Surender Kumar.
I was wonder if you can give me an advise or point to the correct search material.
I can not seem to be able to figure out how to get TMP to trigger Pin request on boot.
All machines in our company are part of AD.
I use NinjaRMM to execute power shell scripts remotely.
Checkpoint Endpoint Security to trigger BitLocker encryption process on deployment.
Unfortunately, I was recently tasked with helping my boss to let go of one of our employees next week.
The issue I got stuck with is he is a developer and remote. The only way I found that I can/should lock him out of the machine is by sending PowerShell script to enable Pin request on boot. Then just restart the machine.
I am not that good with PowerShell and BitLocker TPM process.
I can not seem to figure out how to trigger it.
Setting the Pin by open
Any help would be greatly appreciated.
Thank you.
hi can you please explain how to enable the bitlocker and dont use pin only enable protection and save recovery to ad
You at least need to use a TPM protector for enabling BitLocker. If your PC doesn’t have TPM hardware, you can enable a group policy named “Require additional authentication at startup” and enable the checkbox that says “Allow BitLocker without a compatible TPM”. Either way, a TPM, external key, or password is needed for enabling BitLocker.
You cannot directly save the recovery keys in AD without enabling BitLocker.
Hi. I have laptops remote, bitlocker is enabled but with PIN on startup. recovery keys are saved in intune. All devices have TPM. What we want to do is on specific remote devices, to push a script which will set a startup PIN on Bitlocker, so when the users starts the dveice to be asked to enter the PIN and we also want to rotate the recovery key. This we want to do for terminated remote employees. Is there any powershell script for this task? Thank you.
why don’t you do a remote wipe of the terminated mobile machines?
How is it possible to enable only TPM without pin. witch command?
This is the command:
You can read more about it here:
https://www.techtutsonline.com/enable-bitlocker-with-tpm-only/