Managing BitLocker with PowerShell
Babylonian Letters
Encrypting drives on Windows in user circles is still not as widespread as is prudent from a security perspective. Especially for mobile systems such as notebooks, hard drives should be secured with a transparent encryption solution such as BitLocker so that data is protected, even if a thief removes the hard drive and attempts to access it. System administrators should seriously consider taking advantage of the option to automate the setup and configuration of hard drive encryption.
This is where PowerShell comes into play. Microsoft provides command-line tools and matching cmdlets in the form of manage-bde
and repair-bde
. Both the PowerShell cmdlets and command-line commands let you handle all the tasks and settings that are supported through the control panel. Although the BitLocker setting is now linked in the new system settings in the pre-release version of Windows 11 and version 21H2 of Windows 10, it still takes you to the settings in the legacy Windows interface from the pre-Windows 10 era.
You are better advised to use the command line and PowerShell. We tested the examples in this article both with version 5.1, which is currently installed on Windows systems by default, and with the open source variant PowerShell 7 on Windows 10 and Windows Server 2019 computers. BitLocker cmdlets and options were not different between systems.
Adding Encryption
BitLocker is not available on the current Windows 10 Home version. The device encryption software is available by default on Windows 10 Professional or Enterprise but usually has to be enabled. Exceptions include, say, Surface devices by Microsoft – the same type of encryption is automatically enabled there.
The server versions of Windows also support the use of drive encryption. However, for the server operating systems, you need to install BitLocker as a feature in Server Manager or the new Windows Admin Center. Additionally, the option to unlock operating system volumes of client systems on domain networks automatically by means of network unlocking on reboot can then be added to the system as a feature.
Of course, you can add BitLocker to a Windows server with PowerShell, but first check to see whether BitLocker is already installed on the system with:
Get-WindowsFeature -Name Bitlocker
If the Install State column of the cmdlet reports that the feature is installed, the software is ready to use. If, on the other hand, it says Available , the administrator has to install BitLocker (Figure 1), which can be done with the associated sub-features and tools by entering:
Install-WindowsFeature Bitlocker -IncludeAllSubFeature-IncludeManagementTools
After that, the cmdlet reports the Success
status as True
and explicitly points out that a restart of the operating system is now needed. You can initiate this with Restart-Computer
directly in PowerShell.
cmdlets
After the reboot, drive encryption is then available, as well as the corresponding PowerShell module with the cmdlets [1] for BitLocker management. Typing
Get-Command -module BitLocker
shows you which special cmdlets are now available to you (Figure 2). If you want to find out about all the drives on your Windows system and their encryption status, call (with administrator privileges) Get-BitLockerVolume
. The command lists all drives that are connected to the computer. To display only a specific drive, use the -MountPoint <drive>
parameter:
Get-BitlockerVolume -MountPoint "E:"
The Protection Status
, VolumeStatus
, and AutoUnLock enabled
options show important information about the current status of hard disks or partitions. If the drive is encrypted, Protection Status
is set to On
. VolumeStatus
is even more precise and shows whether the disk or partition is already fully encrypted. The AutoUnlock enabled
option shows whether you have configured the disk for automatic drive unlocking. On a system that has a lot of drives, listing only those drives with full BitLocker encryption by querying the VolumeStatus
property of the corresponding object can be handy:
Get-BitlockerVolume | Where-Object { $_.VolumeStatus -eq 'FullyEncrypted' }
With the help of two cmdlets, Enable-Bitlocker
and Disable-Bitlocker
, you can then encrypt or decrypt a drive or a partition by specifying the desired drive again.
The command for encryption requires a few more parameters. In addition to the encryption method, which you specify with the -EncryptionMethod
parameter, you must define the password you use to lock the drive (Figure 3).
Instead of the -RecoveryKeyPath
parameter, you can, among other things, specify the path to a recovery key that is located elsewhere (e.g., on a USB stick). Although we used the -EncryptionMethod AES256
parameter for the encryption method, you can choose between AES256
and AES128
in your script. The -UseSpaceOnly
parameter additionally specifies that you only want to encrypt the space on the volume that is occupied by data. We simply passed the password to the $PassW
variable with the Read-Host
cmdlet to demonstrate the use of Enable-Bitlocker
:
$PassWd = Read-Host -Prompt "Password, please?" -AsSecureString Enable-Bitlocker -MountPoint "E:" -EncryptionMethod AES256-UsedSpaceOnly -Password $PassWd-PasswordProtector
After this call, the drive is encrypted but not yet "locked," which is accomplished with the help of the final command in Figure 3:
Lock-Bitlocker -MountPoint "E:"
Now, users who want to change to this drive need to enter the password in Explorer or use the Unlock-Bitlocker
cmdlet with the password. Again, the assumption is that you stored it in the $PassW
variable:
Unlock-Bitlocker -MountPoint "E" -Password $Pass
The Enable-Bitlocker
cmdlet in particular offers a large number of other parameters and options. Microsoft provides detailed documentation online [2], including a description of how to use a trusted platform module (TPM), among other things. With the help of the command
get-help Enable-Bitlocker -full
you can display a whole series of examples onscreen that show you how the various parameters come into play.
At the Command Line
Microsoft also offers the manage-bde
command-line tool on its operating systems for scripting BitLocker calls. The tool offers a useful choice of options for rolling out and managing drive encryption. To use it, you will need administrator rights (i.e., a command prompt or a PowerShell window with elevated rights). The following call then shows the BitLocker status on the local system:
manage-bde status
The output is quite detailed and not only shows you the conversion status (Is the entire hard drive encrypted or only the occupied space?) but also the encryption method and the type of key protection device used. You can then immediately see whether the system is equipped with a TPM and whether it is used on the volume with the operating system. Calling
manage-bde on <drive> manage-bde off <drive>
then lets you switch on or off encryption for the respective drive. For example, if you want to unlock a drive that is protected by BitLocker, run the following command with the appropriate key (always 48 digits) or with the recovery password in the following form:
manage-bde -unlock C: -RecoveryPassword 670499-444444-307582-555555-209561-145200-316107-999999
With the help of the -RecoveryKey <drive>
parameter, you can then also load a key that is stored on an external drive:
manage-bde -unlock F: -RecoveryKey T:\
According to the documentation, manage-bde
also offers the option to read and configure the TPM module. However, calling
manage-bde -tpm
caused an error message in our lab on both the current Windows 10 (Professional and Enterprise in version 21H1) and Windows Server 2019 (version 1809) versions. The message said manage-bde
could not manage the trusted platform module "in this version of Windows" and was followed by the recommendation to edit the Microsoft Management Console Manage TPM
snap-in or the corresponding PowerShell cmdlets. We were then able to display the TPM settings on the various devices without any problems by calling the Get-TP
cmdlet.
As an administrator, TrustedPlatformModule
provides a whole series of cmdlets with which you can not only discover the trusted platform module but reset it or examine which features the module supports on the specific device, among other things.
Finally, we would like to mention the repair-bde
command-line tool for the sake of completeness. This software is an additional offering from Microsoft that, according to the description, tries to reconstruct critical parts of a severely damaged drive and recover any recoverable data. However, this explicitly only applies if the drive was encrypted by BitLocker and the user has a valid password or recovery key for decryption. The tool has the syntax:
repair-bde <input_volume> <output_volume_or_images>
You should be able to use the key package and recovery password and key to decrypt parts of a BitLocker-protected drive, even if the disk is damaged. However, the command cannot repair a drive if anything failed during the encryption or decryption process.
Buy this article as PDF
(incl. VAT)