Encrypting Disks with BitLocker in PowerShell

When I need to turn on BitLocker on either a system drive or an external USB drive, I usually just right-click the drive, choose Turn on BitLocker, and then follow the wizard. It works pretty well and does what I need. What I didn’t know is that there are a lot more options you can choose from when you do so using PowerShell.

For example, there is more than just one encryption method you can use. With -EncryptionMethod, you can specify one of 4 methods to encrypt your drive, AES128, AES258, XtsAes128, or XtsAes256.

Enable-BitLocker -MountPoint "c:" -EncryptionMethod Aes256 -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector

You can also enable BitLocker with a specified AD user account so that when a user accesses the encrypted drive, they will get prompted for credentials for that account.

Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes128 -AdAccountOrGroup "Western\SarahJones" -AdAccountOrGroupProtector

Have you ever wondered what is wrong with my BitLocker drive that has a warning sign?

Get-BitLockerVolume tells you everything.

Aha…it’s because the Protection is off. Let’s Resume-BitLocker it.

What’s my encrypted system drive’s recovery password?

(Get-bitlockervolume -MountPoint "C:").KeyProtector

Can I save it to Active Directory so I don’t have to keep the file? Sure thing.

Backup-BitLockerKeyProtector -MountPoint "C" -KeyProtectorId (Get-bitlockervolume -MountPoint "C:").KeyProtector[1].KeyProtectorId

But whoops, it says “Group Policy does not permit the storage of recovery information to Active Directory”. What to do?

There are two policies you will need to change here. Open the policy assigned to the GPO, and go to the following location.

Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption

And enable the policy called Store BitLocker Recovery information in Active Directory Domain Services

Then go to one of the following sub-locations of BitLocker Drive Encryption, whichever one you would be using.

  • Fixed Data Drives
  • Operating System Drives
  • Removable Data Drives

And enable the policy called Choose how BitLocker-protected operating system drives can be recovered.

If it still doesn’t work, you may have to install the BitLocker management tools on the AD server.

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools

Leave a Reply

Your email address will not be published. Required fields are marked *