- Dacpac and Bacpac in SQL Server - Tue, May 30 2023
- Proxmox Backup Server: Install and configure - Fri, May 19 2023
- Using Docker with NAS and NFS - Mon, May 15 2023
Manage BitLocker auto unlock with PowerShell
When you have multiple data drives attached to your computer that are encrypted using BitLocker, you might want to unlock them automatically once the OS drive is decrypted using TPM, PIN, or a startup key. The auto-unlock feature works only with data drives.
Enable auto unlock
To enable auto-unlock for a particular volume, use the following command:
Enable-BitLockerAutoUnlock -MountPoint "D:"
Enable auto unlock for a BitLocker encrypted data volume using PowerShell
To enable auto-unlock for all data drives at once, use the following command:
Get-BitLockerVolume | ? {$_.VolumeType -eq 'Data'} | Enable-BitLockerAutoUnlock
Enable auto unlock for all BitLocker encrypted data volumes using PowerShell
This command gets all the data volumes on the computer and passes them to the Enable-BitLockerAutoUnlock cmdlet to enable auto-unlock. Remember, auto-unlock does not work with operating system volumes.
Disable auto-unlock
To disable auto-unlock for a specific volume, use the Disable-BitLockerAutoUnlock cmdlet, as shown below:
Disable-BitLockerAutoUnlock -MountPoint "F:"
Disable BitLocker auto unlock for a particular volume using PowerShell
To disable auto-unlock on all data drives at once, use the Clear-BitLockerAutoUnlock cmdlet, which doesn't require any additional parameters.
Disable BitLocker auto unlock for all data volumes at once using PowerShell
Backup key protectors
If your computer belongs to an Active Directory domain, you could use the Backup-BitLockerKeyProtector cmdlet to save the recovery password key protector to Active Directory. Once again, you need to specify the key protector using its ID.
$BVol = Get-BitLockerVolume -MountPoint "C" Backup-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId $BVol.KeyProtector[2].KeyProtectorId
Save the recovery password key protector to Active Directory using PowerShell
Make sure you supply the right array index for the recovery password key protector; otherwise, you will get an error. To learn how to use BitLocker in the Active Directory domain environment in detail, read the series of posts written by Kyle Beckman.
Manually lock and unlock encrypted drives
If you do not want to enable auto-unlock for data drives, the BitLocker PS module offers the Lock-BitLocker and Unlock-BitLocker cmdlets. These cmdlets let you control access to encrypted volumes manually on demand.
To manually lock a data volume, use the following command:
Lock-BitLocker -MountPoint "D:"
Manually lock a BitLocker volume using PowerShell
You will receive an error if the drive is currently in use. In this case, you could use the -ForceDismount parameter to override. Use this option only when necessary, as it could result in data loss. It is a good idea to gracefully close all apps and files before using the Lock-BitLocker command.
To unlock the encrypted data volume, use the following command:
Unlock-BitLocker -MountPoint "D:" -RecoveryKeyPath "E:\2D64E750-ED79-425A-A084-2CCE6B2F8CC6.BEK"
Manually unlock a BitLocker volume using PowerShell
You need to specify the right key protector using a switch parameter to unlock the drive. To unlock the drive using a password, make sure you generate a secure string with the help of the ConvertTo-SecureString cmdlet.
Suspend/Resume BitLocker protection
During a system or firmware upgrade, you might want to temporarily suspend BitLocker protection. Note that suspending BitLocker doesn't mean the data is no longer encrypted. Data is still encrypted, but BitLocker will make the decryption key available to everyone. The Suspend-BitLocker cmdlet is used to suspend BitLocker protection on a specific drive.
By default, BitLocker suspension resumes automatically when the computer is restarted, but you could use the -RebootCount parameter to specify the number of reboots when BitLocker protection resumes.
Suspend-BitLocker -MountPoint "C" -RebootCount 2
Suspend BitLocker protection on a volume using PowerShell
To make the BitLocker suspension indefinite until you manually resume it, set the value of the -RebootCount parameter to 0. File Explorer displays a warning on a volume with suspended BitLocker protection.
File Explorer showing a suspended BitLocker volume
To resume the protection manually, use the following command:
Resume-BitLocker -MountPoint "C"
Resume BitLocker protection on a volume using PowerShell
To resume protection on all drives, use the Get-BitLockerVolume | Resume-BitLocker command.
Disable BitLocker
To permanently decrypt a volume and disable BitLocker protection on it, use the Disable-BitLocker cmdlet as shown below:
Disable-BitLocker -MountPoint "D:"
Disable BitLocker protection and decrypt a volume using PowerShell
Note that if you're decrypting an operating system drive containing auto-unlocking keys, you need to use Clear-BitLockerAutoUnlock first. To disable BitLocker and decrypt all the volumes on a computer, use the following commands:
Subscribe to 4sysops newsletter!
Clear-BitLockerAutoUnlock Get-BitLockerVolume | Disable-BitLocker
Disable BitLocker and decrypt all volumes using PowerShell
This post was all about the BitLocker PowerShell module. In the next post, I will cover how to fix various errors that you might encounter while working with the BitLocker module.
