Enable BitLocker Encryption with PowerShell Script

This article provides a PowerShell script that can be used to enable BitLocker encryption on a Windows system.

Introduction

This script takes the hassle out of enabling BitLocker encryption on your Windows drives using PowerShell, making sure your data stays safe and meets security standards.

Prerequisites:

Windows 10 Pro, Enterprise, or Education editions (BitLocker is not available on Windows 10 Home).
TPM (Trusted Platform Module) version 1.2 or later.
Administrator privileges to execute the script.
Backup of the Recovery Key (if required).

				
					# Enable BitLocker on a specific drive
$DriveLetter = "C:"
$RecoveryKeyPath = "C:\RecoveryKeys"

# Check if BitLocker is already enabled
$BitLockerStatus = Get-BitLockerVolume -MountPoint $DriveLetter
if ($BitLockerStatus.ProtectionStatus -eq "On") {
    Write-Output "BitLocker is already enabled on drive $DriveLetter."
    return
}

# Ensure the recovery key directory exists
if (!(Test-Path -Path $RecoveryKeyPath)) {
    New-Item -ItemType Directory -Path $RecoveryKeyPath
    Write-Output "Created recovery key directory at $RecoveryKeyPath."
}

# Enable BitLocker with recovery key backup
Enable-BitLocker -MountPoint $DriveLetter -EncryptionMethod XtsAes256 -RecoveryKeyPath $RecoveryKeyPath -UsedSpaceOnly

Write-Output "BitLocker encryption has been initiated on drive $DriveLetter. Recovery key is stored in $RecoveryKeyPath."

Breakdown

Let's break it down step by step:

Set Drive Letter: This part of the script tells us which drive we want to encrypt, indicated by the variable ($DriveLetter).
Recovery Key Path: Here, we define where we want to save the recovery key, using the variable ($RecoveryKeyPath).
Check BitLocker Status:We use the Get-BitLockerVolume command to check if encryption is already turned on for the drive.
Create Recovery Key Directory: This step makes sure that the directory for the recovery key exists before we actually save it there.
Enable BitLocker: Finally, we kick off the BitLocker encryption process with the Enable-BitLocker cmdlet, using XtsAes256 encryption, and we store the recovery key in the path we specified earlier.

Use Cases

Enterprise Security: Making sure that all company-issued laptops and desktops are encrypted for safety.
Compliance: Adhering to data protection regulations like GDPR or HIPAA.
Incident Response: Protecting drives on systems that have been compromised or are considered high-risk.

Implications & Considerations

Security: Make sure the recovery key path is secure and not accessible to anyone who shouldn't have access.
Performance: Keep in mind that encryption might have a slight effect on system performance during the initial setup phase.
Compatibility: Check that the target systems are equipped with the necessary TPM version and that the BitLocker feature is enabled.
Data Backup: Always remember to back up important data before starting the encryption process to prevent any potential data loss.

Recommendations

Testing: Before rolling out the script on a larger scale, make sure to test it on a non-critical system first.
Recovery Key Management: It's best to use a secure central repository or Active Directory to manage your recovery keys.
Monitoring: Keep an eye on the encryption status regularly by using Get-BitLockerVolume.
Documentation: Make sure to maintain clear records of which systems have BitLocker enabled and where the recovery keys are stored.

Related Scripts

Script to configure Firewall on Windows devices

This PowerShell script helps IT admins configure Windows Firewall by enabling security rules, allowing or blocking specific traffic, and automating network protection.

Learn More »

Team Zecurit March 1, 2025