When attempting to enable Bitlocker on computers remotely, using an RMM tool, here are some PS commands that will assist in this process.
View the current status of Bitlocker on a machine.
manage-bde c: -status
Add a key protector so the machine can be encrypted. This is useful on some OEM machines that come with Bitlocker enabled, but no key can be retrieved from the machine.
manage-bde c: -protectors -add -rp
Backup the Bitlocker keys to Active Directory
manage-bde -protectors -adbackup c: -id “{3500023E-381E-449B-878B-0CD1067DCD79}”
Notice, the ID will be the unique ID shown from the manage-bde c: -protectors -add -rp command. You will need to add parenthesis before and after the brackets.
Lastly, if you need to require a user to login to the machine with a PIN, you can use the following command, in addition to those above:
manage-bde -protectors -add c: -TPMAndPIN
From there, you will enter the desired PIN and test by rebooting the machine.
PowerShell Script
$Pin = ConvertTo-SecureString “205020” -AsPlainText -Force
Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly
*Posts on this site may contain affiliated links*