Enable BitLocker Encryption with PowerShell Script

This article provides a PowerShell script that can be used to enable BitLocker encryption on a Windows system.

In this Guide:

Introduction

This script takes the hassle out of enabling BitLocker encryption on your Windows drives using PowerShell, making sure your data stays safe and meets security standards.

Prerequisites:

  • Windows 10 Pro, Enterprise, or Education editions (BitLocker is not available on Windows 10 Home).

  • TPM (Trusted Platform Module) version 1.2 or later.

  • Administrator privileges to execute the script.

  • Backup of the Recovery Key (if required).

Copy to clipboard
# Enable BitLocker on a specific drive
$DriveLetter = "C:"
$RecoveryKeyPath = "C:\RecoveryKeys"

# Check if BitLocker is already enabled
$BitLockerStatus = Get-BitLockerVolume -MountPoint $DriveLetter
if ($BitLockerStatus.ProtectionStatus -eq "On") {
    Write-Output "BitLocker is already enabled on drive $DriveLetter."
    return
}

# Ensure the recovery key directory exists
if (!(Test-Path -Path $RecoveryKeyPath)) {
    New-Item -ItemType Directory -Path $RecoveryKeyPath
    Write-Output "Created recovery key directory at $RecoveryKeyPath."
}

# Enable BitLocker with recovery key backup
Enable-BitLocker -MountPoint $DriveLetter -EncryptionMethod XtsAes256 -RecoveryKeyPath $RecoveryKeyPath -UsedSpaceOnly

Write-Output "BitLocker encryption has been initiated on drive $DriveLetter. Recovery key is stored in $RecoveryKeyPath."

Breakdown

Let's break it down step by step:

  1. Set Drive Letter: This part of the script tells us which drive we want to encrypt, indicated by the variable ($DriveLetter).

  2. Recovery Key Path: Here, we define where we want to save the recovery key, using the variable ($RecoveryKeyPath).

  3. Check BitLocker Status:We use the Get-BitLockerVolume command to check if encryption is already turned on for the drive.

  4. Create Recovery Key Directory: This step makes sure that the directory for the recovery key exists before we actually save it there.

  5. Enable BitLocker: Finally, we kick off the BitLocker encryption process with the Enable-BitLocker cmdlet, using XtsAes256 encryption, and we store the recovery key in the path we specified earlier.

Use Cases

  • Enterprise Security: Making sure that all company-issued laptops and desktops are encrypted for safety.

  • Compliance: Adhering to data protection regulations like GDPR or HIPAA.

  • Incident Response: Protecting drives on systems that have been compromised or are considered high-risk.

Implications & Considerations

  • Security: Make sure the recovery key path is secure and not accessible to anyone who shouldn't have access.

  • Performance: Keep in mind that encryption might have a slight effect on system performance during the initial setup phase.

  • Compatibility: Check that the target systems are equipped with the necessary TPM version and that the BitLocker feature is enabled.

  • Data Backup: Always remember to back up important data before starting the encryption process to prevent any potential data loss.

Recommendations

  • Testing: Before rolling out the script on a larger scale, make sure to test it on a non-critical system first.

  • Recovery Key Management: It's best to use a secure central repository or Active Directory to manage your recovery keys.

  • Monitoring: Keep an eye on the encryption status regularly by using Get-BitLockerVolume.

  • Documentation: Make sure to maintain clear records of which systems have BitLocker enabled and where the recovery keys are stored.

Deploy this script across your Endpoints with Zecurit

Upload this script to Zecurit's Script Repository and execute it across hundreds of endpoints in minutes. Support for PowerShell, Bash, Python,and more with full audit trails and scheduling.

Try For Free
Get a Demo

Related Scripts