Enable BitLocker on C: Drive

This PowerShell script enables BitLocker on the C: drive and backs up the recovery key to AD or Azure AD.

# Check if BitLocker is already enabled on C: Drive
$bitlockerStatus = Get-BitLockerVolume -MountPoint "C:"

if ($bitlockerStatus.ProtectionStatus -eq "On") {
    Write-Output "BitLocker is already enabled on C: Drive."
} else {
    # Enable BitLocker with TPM protection
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -RecoveryPasswordProtector -TpmProtector -ComputerName $env:COMPUTERNAME

    # Wait for the encryption to complete
    $bitlockerEncryption = Get-BitLockerVolume -MountPoint "C:"
    while ($bitlockerEncryption.EncryptionPercentage -lt 100) {
        Write-Output "Encryption in progress... $($bitlockerEncryption.EncryptionPercentage)% completed."
        Start-Sleep -Seconds 30
        $bitlockerEncryption = Get-BitLockerVolume -MountPoint "C:"
    }

    Write-Output "Encryption completed successfully on C: Drive."
    
    # Backup recovery key to AD or Azure AD
    if ((Get-Command -Name "Add-BitLockerKeyProtector" -ErrorAction SilentlyContinue) -and ($bitlockerStatus.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" -and $_.RecoveryPassword } )) {
        # Backup to Active Directory
        Add-BitLockerKeyProtector -MountPoint "C:" -ADAccountOrGroup "Domain\YourDomainAdmins" -RecoveryPasswordProtector
        Write-Output "Recovery key backed up to Active Directory."

        # Optional: Backup to Azure AD
        # Uncomment the next line if using Azure AD
        # Add-BitLockerKeyProtector -MountPoint "C:" -AzureAD
        # Write-Output "Recovery key backed up to Azure Active Directory."
    } else {
        Write-Output "Failed to back up recovery key to AD."
    }
}

Explanation of the Script Steps

1. Check BitLocker Status: The script first checks if BitLocker is already enabled on the C: drive. If it is, a message is displayed, and the script exits.

2. Enable BitLocker: If BitLocker is not enabled, the script enables it with TPM protection and the recovery password protector. It uses AES 256-bit encryption and only encrypts used space.

3. Monitor Encryption Progress: It checks the encryption progress and waits until it is complete, displaying the percentage completed.

4. Backup Recovery Key: After enabling BitLocker, the script attempts to back up the recovery key to Active Directory. If you want to back it up to Azure AD, you can uncomment the relevant line.

2. Requirements for Azure AD Backup

For backing up the recovery key to Azure AD, ensure:

• Your system is joined to Azure AD.

• The device is registered and managed through Azure AD.

Run the Script

1. Open PowerShell as an administrator.

2. Copy and paste the above script.

3. Make sure to replace "Domain\YourDomainAdmins" with your actual domain and group.

4. Run the script.

3. Verify Recovery Key Backup

To verify that the recovery key has been backed up:

• For Active Directory: Use the Active Directory Users and Computers (ADUC) tool. Navigate to the computer object, right-click, and select Properties. Under the BitLocker Recovery tab, you should see the recovery key.

• For Azure AD: You can check via the Azure portal under Azure Active Directory > Devices. Select the device, and you should see the BitLocker recovery key.

PreviousCheck and Repair Disk ErrorsNextGet BitLocker Encryption Status

Last updated