BitLocker is a volume encryption technology that was first introduced in Windows Vista and Windows Server 2008. Like other Microsoft products, it also suffers from certain glitches, but many people around the globe rely on BitLocker Drive Encryption (BDE) to protect their data at rest.
Latest posts by Surender Kumar (see all)

In this article, you will learn about the BitLocker PowerShell module and how to manage BitLocker using PowerShell. This article does not cover the basics, so I am assuming you already know the basics of BitLocker and PowerShell.

BitLocker PowerShell module ^

Launch an elevated PowerShell console to follow along with this guide. To view the various commands offered by the BitLocker module, run the following command:

Get-Command -Module BitLocker
View various commands offered by the BitLocker PS module

View various commands offered by the BitLocker PS module

If the above command does not produce any output, you're probably running it on a Windows Server OS. Note that BitLocker is installed by default on client operating systems, such as Windows 10 and Windows 11. However, if you want to use BitLocker on a Windows Server, you need to manually enable it using the following PowerShell command:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
Install the BitLocker feature on Windows Server using PowerShell

Install the BitLocker feature on Windows Server using PowerShell

This command installs BitLocker (including all subfeatures and management tools) and then restarts the server to complete the installation.

Get information about a BitLocker volume ^

To get information about the volumes (or drives) that BitLocker drive encryption can protect on your computer, use the following command:

Get-BitLockerVolume
Get a list of volumes that can be protected with BitLocker using PowerShell

Get a list of volumes that can be protected with BitLocker using PowerShell

Get a list of volumes that can be protected with BitLocker using PowerShell

By default, the cmdlet shows mostly useful properties in a nice tabular format. When used without any parameters, it displays all the volumes. You can specify a particular volume using the -MountPoint parameter. For instance, to view the status of only the C: drive, use the following command:

Get-BitLockerVolume -MountPoint "C:"
Get the BitLocker status for a particular volume using PowerShell

Get the BitLocker status for a particular volume using PowerShell

Enable BitLocker ^

The Enable-BitLocker command is used to enable BitLocker drive encryption. Before using it, let's first have a look at the cmdlet:

  1. Volume: Specify a drive letter or a volume object that Get-BitLockerVolume will return.
  2. Key protector: Specify a key protector to encrypt the volume master key (VMK) stored on the disk. VMK encrypts the full volume encryption key (FVEK), which in turn encrypts the raw data. The following key protectors can be used:
    • Trusted Platform Module (TPM) only: If only TPM is specified, BitLocker uses the TPM chip to protect the encryption key. The encrypted drive can be accessed as long as it remains connected to the system with the TPM chip. To use this key protector, use the -TpmProtector switch parameter. Note that a switch parameter doesn't require any value. To check whether your computer supports TPM, use the Get-Tpm command, as shown in the screenshot:
      Check TPM availability on the computer using PowerShell

      Check TPM availability on the computer using PowerShell

      TPM + PIN: When TPM and a PIN are specified, BitLocker uses both to protect the encryption key. Use the -TpmAndPinProtector switch parameter to establish this key protector and specify a PIN as a secure string. You could use the ConvertTo-SecureString cmdlet to generate a secure string.

    • TPM + Startup Key (USB drive): BitLocker uses both TPM and a startup key (a removable USB flash drive containing an external key) as key protectors to protect the encryption key. Use the -TpmAndStartupKeyProtector switch parameter to define this key protector.
    • TPM + Startup Key + PIN: BitLocker uses TPM, a startup key, and a PIN as key protectors to protect the encryption key. To work with a combination of all these key protectors, use the -TpmAndPinAndStartupKeyProtector switch parameter.
    • Startup Key: BitLocker uses a removable USB storage drive to protect the encryption key. For this key protector, use the -StartupKeyProtector switch parameter and the -StartupKeyPath parameter to specify the path of the key.
    • Recovery Key: BitLocker uses a recovery key stored as a file to protect the encryption key. When you establish a startup key or a recovery key as a key protector, you must specify a path to store the key. To define this, use the -RecoveryKeyProtector switch along with the -RecoveryKeyPath parameter to specify a folder in which a randomly generated recovery key is stored.
    • Password: BitLocker uses a password to protect the encryption key. The -PasswordProtector switch specifies this key protector, and the -Password parameter passes a secure string.
    • Recovery Password: BitLocker uses a recovery password to protect the encryption key. To establish this key protector, use the -RecoveryPasswordProtector switch parameter. If you use this key protector without specifying a password, a random 48-digit recovery password will be generated automatically.
    • AD Account: BitLocker uses an AD account to protect the encryption key.

    The Enable-BitLocker cmdlet lets you specify only one combination from the aforementioned key protectors. But you could use the Add-BitLockerKeyProtector cmdlet to add more key protectors later on.

  3. Encryption Method: By default, BitLocker uses XTS-AES-128, but you can specify the encryption method using the -EncryptionMethod parameter, which accepts values of Aes128, Aes256, XtsAes128, and XtsAes256.
  4. Used Space Only: By default, BitLocker encrypts the entire volume, including any unallocated space; this can be a time-consuming process for large volumes. To speed up the encryption process, you can use the -UsedSpaceOnly switch. The unallocated space remains unencrypted, but it is automatically encrypted as the data is stored.
  5. Hardware Encryption: By default, BitLocker uses software encryption but supports hardware encryption as well. You can use the -HardwareEncryption switch on supported disks. As per this security advisory, there are vulnerabilities in certain self-encrypting drives (SEDs), so Microsoft recommends using software-only encryption instead.

There are other parameters supported by the Enable-BitLocker cmdlet, but covering everything is not possible in a single post. If you're interested in learning all the parameters, use the Get-Help Enable-BitLocker -Detailed command.

Now let's take a look at how to enable BitLocker encryption with a PowerShell command.

$Pin = ConvertTo-SecureString "205020" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly 

The first command generates a secure string from a plain-text numeric PIN, and the second command defines TPM + PIN as key protectors. You will be prompted to restart the computer to run a hardware test.

Enable BitLocker on an OS volume using PowerShell

Enable BitLocker on an OS volume using PowerShell

You could use the -SkipHardwareTest parameter to skip the hardware test, but it is not recommended. After the computer restarts, BitLocker will prompt you to type the PIN to start Windows.

BitLocker requires a PIN to start Windows

BitLocker requires a PIN to start Windows

After login, the encryption process starts automatically. You can view the progress using the Get-BitLockerVolume command, as shown below:

Get BitLocker encryption status for a volume using PowerShell

Get BitLocker encryption status for a volume using PowerShell

The VolumeStatus and EncryptionPercentage columns show the current encryption progress.

USB flash drive as a recovery key protector

If you want to use a USB flash drive as a recovery key protector, use the following command:

Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -StartupKeyProtector -StartupKeyPath "E:" -UsedSpaceOnly -SkipHardwareTest 

This command establishes the startup key (USB) as a key protector and specifies the path of a flash drive to store the BitLocker encryption key. The encryption key is stored with the .BEK file extension as a hidden system file, so you need to use the Get-ChildItem cmdlet with the -Force parameter, as shown in the screenshot:

Use a USB flash drive as a BitLocker key protector and view the recovery key using PowerShell

Use a USB flash drive as a BitLocker key protector and view the recovery key using PowerShell

If you choose this option, you need to enable USB drives in the BIOS (or UEFI) settings and insert the USB every time the computer starts up. If you remove the USB drive, you will be prompted to insert it again. Even though this sounds secure, having only one key protector is risky and might render your system unusable if the USB flash drive is corrupt. Therefore, it is highly recommended to add an additional key protector, such as a password or a PIN. I will cover this in the next section.

Manage key protectors ^

As mentioned earlier, you will be able to define only one combination of key protectors with the Enable-BitLocker cmdlet. The Add-BitLockerKeyProtector cmdlet lets you add more key protectors to a BitLocker-encrypted volume.

Add a key protector

In the previous section, we used a startup key as the only key protector. Now, let's add a password as an additional protector using the following command:

$Password = ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force
Add-BitLockerKeyProtector -MountPoint "C:" -PasswordProtector -Password $Password
Add a password as an additional key protector to a BitLocker encrypted volume using PowerShell

Add a password as an additional key protector to a BitLocker encrypted volume using PowerShell

If you want to add a recovery key file as an additional key protector to an encrypted volume, use the following command:

 Add-BitLockerKeyProtector -MountPoint "C" -RecoveryKeyProtector -RecoveryKeyPath "D:\"
Add a recovery key as an additional key protector to a BitLocker encrypted volume using PowerShell

Add a recovery key as an additional key protector to a BitLocker encrypted volume using PowerShell

The -RecoveryKeyPath parameter is used to specify a directory in which a randomly generated recovery key is stored. An external recovery key is now added as an additional key protector along with TPM + PIN.

Remove a key protector

To remove a key protector from a volume, you need to use the Remove-BitLockerKeyProtector cmdlet. To remove a key protector, you first have to determine its key protector ID. To do that, save the specific BitLocker volume in a variable and then call the KeyProtector property as follows:

$BVol = Get-BitLockerVolume -MountPoint "C"
$Bvol.KeyProtector
Get the key protector ID for a volume using PowerShell

Get the key protector ID for a volume using PowerShell

Once you have the ID, specify it to remove the key protector, as shown in the following command:

Remove-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId "{D5417E7D-CE03-40FB-A83C-7B7D3A190C3F}" 

Alternatively, you could use the array index of the key protector to remove it, as shown in the following command:

Remove-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId $BVol.KeyProtector[1].KeyProtectorId
Remove the BitLocker key protector from a volume using PowerShell

Remove the BitLocker key protector from a volume using PowerShell

Key protectors are stored as an array in the BitLocker volume object. By using the array index $BVol.KeyProtector[1], we can remove the appropriate key protector. Again, make sure you use the $BVol.KeyProtector command to find the key protector you want to remove.

Subscribe to 4sysops newsletter!

In my next post, I will explain how you can unlock, suspend, resume, and disable BitLocker with PowerShell.

avatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account