Manage Bitlocker with PowerShell / Command Prompt

When attempting to enable Bitlocker on computers remotely, using an RMM tool, here are some PS commands that will assist in this process.

View the current status of Bitlocker on a machine.
manage-bde c: -status

Add a key protector so the machine can be encrypted. This is useful on some OEM machines that come with Bitlocker enabled, but no key can be retrieved from the machine.
manage-bde c: -protectors -add -rp

Backup the Bitlocker keys to Active Directory
manage-bde -protectors -adbackup c: -id “{3500023E-381E-449B-878B-0CD1067DCD79}”

Notice, the ID will be the unique ID shown from the manage-bde c: -protectors -add -rp command. You will need to add parenthesis before and after the brackets.

Lastly, if you need to require a user to login to the machine with a PIN, you can use the following command, in addition to those above:
manage-bde -protectors -add c: -TPMAndPIN

From there, you will enter the desired PIN and test by rebooting the machine.



PowerShell Script

$Pin = ConvertTo-SecureString “205020” -AsPlainText -Force


Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly

*Posts on this site may contain affiliated links*

Leave a Reply