Link to home
Start Free TrialLog in
Avatar of detox1978
detox1978Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Enable BitLocker via Command Line

Hi All,


I recently joined a company that doesnt have any encryption enabled.


I'd like to enable BitLocker.  Is there a way to do this via the command line, as i have remote CLI access to all PCs.


Ideally I'd like to run bitlocker encryption and save the Identifier and Bitlocker Key somewhere (anywhere is fine)

Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

Is there a way to do this via the command line, as i have remote CLI access to all PCs.

sure...these are all of the options for doing it at the command line

manage-bde

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde 

Ideally I'd like to run bitlocker encryption and save the Identifier and Bitlocker Key somewhere (anywhere is fine)

you can save in AD

BitLocker and Active Directory Domain Services (AD DS) FAQ

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq
Avatar of detox1978

ASKER

What would the command be to enable disk encryption and save the info to a text file locally?
https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html is my article which tells you how to securely handle this via scripts. There are several security considerations and I think I deal with all of them.
Get-BitLockerVolume | Enable-BitLocker –EncryptionMethod Aes128 -RecoveryKeyPath "E:\RecoveryKey\" –RecoveryKeyProtector



I don't think that will work, since the GUI disallows local saving. Since all partitions should be encrypted, it's clear, why: it's risky to lose all access. Never save locally.
Happy to save the file to the a network path, i just dont know how to

I cant use PowerShell asi dont have any method to deploy quickly.  So it has to be a command line.


You can use Powershell. It's part of the OS. There's a GPO for saving recovery keys automatically to AD that should be used instead of saving the recovery password to a file. It's all in my article.
I was hoping to get the command to enable bitlocker.  

I can enable and copy the key off at the same time.  there's only 120 PCs.  So will just do it all remotely one after the other.
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Connecting it up to AD is a little out of my comfort zone.

Does preboot authentication use TPM?
I don't believe you can save the file on any local disk in any case, although I haven't actually tried that through command line.  That E:\ drive assumes that you've mounted a remote share.  You should be saving those keys on some master file server.  I do know that if enable bitlocker in the GUI, you can't save it to a local disk, so it's been my practice to save it to a master network share location.

As for the AD method, I don't fully trust it.  I've seen cases where the keys aren't saved for some systems through some glitch or some other issues.  Same with Azure.  I always make a backup copy of the keys to a file.  It never hurts to have multiple backup copies of the keys to your domain systems.


AD saving is super reliable since it has an option to check whether the key was saved and only then start encryption.

Sorry, 120 machines and no domain? That changes things.

Yes, save it to a network path anyway, not locally. Won't let you.

Preboot Auth uses TPM, yes. The PIN is only possible with an active TPM.
Password based preboot Auth is possible as well and needs no TPM but is not recommendable as it allows anyone who has the password to decrypt the drive, which is not the case if you would use a PIN.
AD saving is super reliable...

I've seen it not save.  I rather trust having multiple ways to keep a backup copy of that key.
Thanks for your help so far.  I've been using this command which works very well.

manage-bde -on c: -s -used -rp

Open in new window


However i have come across a laptop that returned this message.

User generated image
Any ideas?

That's because the system has no TPM.
Ah that makes sense.

I'll check the BIOS as the same model has BitLocker switched on.

Is there a way to switch it on from within Windows? 
Some manufacturers offer tools for that, but not all.