Avatar of detox1978
detox1978Flag for United Kingdom of Great Britain and Northern Ireland asked on

Enable BitLocker via Command Line

Hi All,


I recently joined a company that doesnt have any encryption enabled.


I'd like to enable BitLocker.  Is there a way to do this via the command line, as i have remote CLI access to all PCs.


Ideally I'd like to run bitlocker encryption and save the Identifier and Bitlocker Key somewhere (anywhere is fine)

EncryptionPC* BitLockerWindows Batch

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
Seth Simmons

Is there a way to do this via the command line, as i have remote CLI access to all PCs.

sure...these are all of the options for doing it at the command line

manage-bde

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde 

Ideally I'd like to run bitlocker encryption and save the Identifier and Bitlocker Key somewhere (anywhere is fine)

you can save in AD

BitLocker and Active Directory Domain Services (AD DS) FAQ

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq
ASKER
detox1978

What would the command be to enable disk encryption and save the info to a text file locally?
McKnife

https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html is my article which tells you how to securely handle this via scripts. There are several security considerations and I think I deal with all of them.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
serialband

Get-BitLockerVolume | Enable-BitLocker –EncryptionMethod Aes128 -RecoveryKeyPath "E:\RecoveryKey\" –RecoveryKeyProtector



McKnife

I don't think that will work, since the GUI disallows local saving. Since all partitions should be encrypted, it's clear, why: it's risky to lose all access. Never save locally.
ASKER
detox1978

Happy to save the file to the a network path, i just dont know how to

I cant use PowerShell asi dont have any method to deploy quickly.  So it has to be a command line.


Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
McKnife

You can use Powershell. It's part of the OS. There's a GPO for saving recovery keys automatically to AD that should be used instead of saving the recovery password to a file. It's all in my article.
ASKER
detox1978

I was hoping to get the command to enable bitlocker.  

I can enable and copy the key off at the same time.  there's only 120 PCs.  So will just do it all remotely one after the other.
ASKER CERTIFIED SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
detox1978

Connecting it up to AD is a little out of my comfort zone.

Does preboot authentication use TPM?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
serialband

I don't believe you can save the file on any local disk in any case, although I haven't actually tried that through command line.  That E:\ drive assumes that you've mounted a remote share.  You should be saving those keys on some master file server.  I do know that if enable bitlocker in the GUI, you can't save it to a local disk, so it's been my practice to save it to a master network share location.

As for the AD method, I don't fully trust it.  I've seen cases where the keys aren't saved for some systems through some glitch or some other issues.  Same with Azure.  I always make a backup copy of the keys to a file.  It never hurts to have multiple backup copies of the keys to your domain systems.


McKnife

AD saving is super reliable since it has an option to check whether the key was saved and only then start encryption.

Sorry, 120 machines and no domain? That changes things.

Yes, save it to a network path anyway, not locally. Won't let you.

Preboot Auth uses TPM, yes. The PIN is only possible with an active TPM.
Password based preboot Auth is possible as well and needs no TPM but is not recommendable as it allows anyone who has the password to decrypt the drive, which is not the case if you would use a PIN.
serialband

AD saving is super reliable...

I've seen it not save.  I rather trust having multiple ways to keep a backup copy of that key.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
detox1978

Thanks for your help so far.  I've been using this command which works very well.

manage-bde -on c: -s -used -rp

Open in new window


However i have come across a laptop that returned this message.


Any ideas?

McKnife

That's because the system has no TPM.
ASKER
detox1978

Ah that makes sense.

I'll check the BIOS as the same model has BitLocker switched on.

Is there a way to switch it on from within Windows? 
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
McKnife

Some manufacturers offer tools for that, but not all.