In this guide, I’m going to show you how to enable bitlocker remotely using Powershell/PDQ Deploy. This PDQ Deploy sequence I’m using consists of several “steps” and will enable bitlocker, set a randomized pin code, copy the pincode and recovery key to an IT network share, and wait/reboot the computer several times.
If you don’t have PDQ Deploy, you can still take the code from the various steps below and turn it into a Powershell script to use with another RMM tool like SCCM, if you’d like. If you don’t have PDQ, there is a free version you can download to accomplish this but the paid version is 100% worth the cost.
I’ve used this script on hundreds of computers, and it works perfectly everytime. On average, it takes about 7 minutes or less per machine.
What is Bitlocker?
Bitlocker is a built-in full-volume encryption feature that is included in Windows. It supports Windows Vista and higher versions. There are several different ways to configure Bitlocker.
You could turn on Bitlocker manually by right-clicking your C:\ drive and waiting for the encryption process to finish, but that is a very hands-on approach. You will also have to set a Bitlocker pin code, and then document the pin code somewhere secure.
If you work as a sysadmin, IT manager, or in a helpdesk role, then this is a very time-consuming task for each new computer you setup and is prone to human error. For example, if you forget to copy down the PIN code, and a user forgets, they will have to enter in the 48-character recovery code which is not ideal.
Automated Bitlocker Project Scope
This is truly a hands-off one touch Bitlocker deployment process. Using PDQ Deploy, I run the “Bitlocker + PIN” package, wait a few minutes, and everything is complete.
Here’s the steps of everything we’ll be doing. The code for each step is below.
If you don’t want to recreate this package yourself, I’ve exported my PDQ package for you. Simply download the .XML below and import into Deploy. Just change out the paths with your own.
Bitlocker + PIN XML: https://smarthomepursuits.com/download/4540/
Prerequisites
The target computer must have a TPM chip that is enabled. Most newer computers already have this and is already enabled within the BIOS.
Optional: You should configure a Group Policy to automatically backup the 48-character Bitlocker recovery key in Active Directory during deployment. This is just another way to backup the recovery key. This GPO adds a new tab to the Computer Object and is viewable from within a domain controller. You cannot store bitlocker PIN’s in Active Directory or view the recovery codes from the Active Directory Users & Computers (ADUC) widget.
How It Works
This script will enable bitlocker and set a random PIN code. It will export the recovery key and PIN code as separate text files to the computers C:\ drive temporarily, appended with the computer name like this:
It will then copy both .txt files to a public network share (or a network share that most employees should have access to) The reason I’m not moving it to the IT share just yet is because if I run this script on Janet from Accounting’s computer, her user doesn’t have access to the IT file share. So, I move it a public share first.
Then, the script will copy from the public share to the IT share and delete it from public share. 100% automated – just run this package against a target machine and it will do everything for you.
It sounds complicated or somewhat of a hacky method, but I promise this works really well and really makes setting up new computers super easy.
Backing Up Bitlocker Recovery Key and PIN to Network Share Risk
There is always a fine line between accepted risk vs. potential reward. Is it secure to backup these codes to an IT network share? If you have tight ACL’s in place to where only the IT department can access the network folder where the codes are stored, then I’d say that’s pretty secure. I take the same approach for my Export LAPS Passwords script.
Let’s take these examples. Let’s say a user forgets their pin and you didn’t have it backed up or documented correctly. You will have to provide the 48-character pin over the phone. Unfortunately, pin codes can’t be changed unless you know the old PIN. (You may be able to set a new one via a separate Powershell script, but I haven’t had a need for this) This means the user is now stuck having to enter this ridiculously long code each time their computer reboots.
Or, what happens if you delete the computer object? The recovery code is now lost unless you restore the object from backup or use the Active Directory Recycle Bin. At this point, you’re only option is to format the machine and lose all data. Imagine telling that to a remote user; you can imagine how frustrated they would be. Now you’ll have to image a brand new machine and ship it to them, wasting hours of your day and productivity lost during shipping.
Automated Bitlocker Encryption Script
There are 13 steps below. I added some wait timers and reboots in between a few steps. I accommodated for slow boot times. We typically deploy core i-5 with 8gb+ of ram and this script has yet to fail on me, so I think the wair timers are pretty reasonable. I recommend creating your package exactly as I have.
If there are any required conditions, I will notate those in the appropriate step. Otherwise, just copy and paste the code into a new step.
Step 0: Create a PDQ Deploy Package
In your PDQ Deploy appplication, right-click the Packages folder > Create a new package. Name it “Bitlocker + PIN” or something similar.
Step 1: Enable Bitlocker on C:\ Drive
New step > Powershell
Enable-BitLocker -MountPoint "C:" -RecoveryPasswordProtector
Step 2: Reboot PC
New step > Reboot.
Under the Details tab, set to 30 seconds.
Step 3: Sleep
New step > Sleep.
Under the Details tab, set to 60 seconds.
Step 4: Copy 48-character recovery key to C:\ drive
This step will copy the recovery key that was generated during Step 1 and save it to a text file. In a future step, this file will get copied to an IT network share and then deleted from the C:\ drive.
New step > Powershell.
(Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword > c:\$env:COMPUTERNAME.txt
Step 5: Copy text file to network share
**Change out the destination path with the network location all employees can access.**
New step > Powershell.
Copy-Item "C:\$env:COMPUTERNAME.txt" -Destination "\\PublicShare\folder" -recurse
Step 6: Sleep
New step > Sleep.
Set to 30 seconds.
Step 7: Delete Text File from users C:\ drive
New step > Powershell.
Remove-Item c:\$env:COMPUTERNAME.txt
Step 8: Enable Bitlocker PIN (Sets random pin)
New Step > Powershell.
$Random = Get-Random -Maximum 1000000
$SecureString = ConvertTo-SecureString "$Random" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Pin $SecureString -TPMandPinProtector
(New-Object System.Management.Automation.PSCredential 'N/A', $securestring).GetNetworkCredential().Password | out-file C:\$env:COMPUTERNAME-PIN.txt
Step 9: Copy PIN to Public Network Share
**Change out the paths below.**
New Step > Powershell.
Copy-Item "C:\$env:COMPUTERNAME-PIN.txt" -Destination "\\PublicShare\folder" -recurse
Step 10: Delete PIN text file from users C:\ drive
New Step > Powershell.
Remove-Item c:\$env:COMPUTERNAME-PIN.txt
Step 11: Sleep
New step > Reboot.
Set Sleep Time to 30 seconds.
Step 12: Move Text files from Public Fileshare to IT Network Share
**Change out the paths below.**
New Step > Powershell
get-childitem "\\PublicShare\folder" *.txt | Copy-Item -destination "\\IT\Bitlocker Keys & PIN" -verbose
Remove-Item -Path "\\PublicShare\folder\*" -recurse -ErrorAction Ignore
Step 13: Reboot
New step > Reboot.
Set to 10 seconds.
Now that the Bitlocker PIN has been enabled, you will need to physically log into the computer and enter the randomly generated Bitlocker pin, which has now been backed up and stored on your IT file share.
Enabling Pin Codes – Word of Caution
If you are considering a Bitlocker + PIN rollout, I feel like it’s necessary to mention that once you add a PIN code to a machine, the user will physically have to enter the PIN after a reboot. If users RDP to their computers from home, then someone at the office would have to enter the pin for them which isn’t ideal. To combat this, you might want to create a separate but similar script that just enables PIN codes for laptops but not for desktops, or use Bitlocker Network-Unlock.
Wrapping Up
All in all, this has been a huge time saver for our IT department. We already had the peace of mind knowing that our Bitlocker recovery keys are stored in Active Directory. Now, we have also them backed up as text files in an IT network share, which could be very useful in case your Active Directory is no longer accessible or if your company gets hit with ransomware.
Additonally, each new PC you deploy will now a PIN that is backed up. Since each PIN is randomized during deployment, you don’t have to worry about users having the same PIN code or managing a spreadsheet.
I hope this guides helps you out and saves you some time! Let me know in the comments if you’ve used this guide and it worked out well for you.
My Homelab Equipment
Here is some of the gear I use in my Homelab. I highly recommend each of them.
- Server 2019 w/ Hyper-V
- Case: Fractal Design Node 804
- Graphics Card: NVIDEA Quadro K600
- CPU: AMD Ryzen 7 2700
The full list of server components I use can be found on my Equipment List page.
Hi, I have a question about the script. After the deployment of this script all works (Textfile in Network share etc.). I would like that after the reboot Bitlocker asks for the PIN, but after applying this script that doesn’t happened.
Do you have any idea why?
Thanks & regards
After Bitlocker is installed and it reboots, it will reboot and then prompt for the pin. It’ll only stay on the blue Bitlocker screen for like 30 seconds before it shuts down so you just have to enter it before then
Ok thank you very much! 🙂
We get this error when we are running the script:
Add-TpmAndPinProtectorInternal : The key protector cannot be added. Only one key protector of this type is
only one key protector of this type is allowed for the drive. (Exception of HRESULT: 0x80310031).
In C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2099 characters:31
+ … $Result = Add-TpmAndPinProtectorInternal $BitLockerVolumeInternal.M …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmAndPinProtectorInternal
Do you think this happens because before was Bitlocker already activated? (Yes it was on this machine)
We got this error when enabling the PIN: Add-TpmAndPinProtectorInternal : Die Schlüsselschutzvorrichtung kann nicht hinzugefügt werden. Für das Laufwerk ist
nur eine Schlüsselschutzvorrichtung dieses Typs zulässig. (Ausnahme von HRESULT: 0x80310031)
In C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2099 Zeichen:31
+ … $Result = Add-TpmAndPinProtectorInternal $BitLockerVolumeInternal.M …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmAndPinProtectorInternal
What would the script be for setting a defined PIN for all workstation? Thanks
On step 8, remove the $random variable. Then use $SecureString = ConvertTo-SecureString “123456” -AsPlainText -Force
Get-Random also supports -Minimum values. You should use this so that Get-Random doesn’t eventually give someone a pin number of “1” 🙂
Hi Dan, wonderful article, how about if I want to use this to change all users current pins or force them to change their pins? Can you give a walkthrough?
I don’t know how to prompt users to change the pin themselves, but you can run just Step 8 against a computer to manually change it to something random. If you don’t want to set a random pin, then the code would be:
$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Pin $SecureString -TPMandPinProtector
(New-Object System.Management.Automation.PSCredential 'N/A', $securestring).GetNetworkCredential().Password | out-file C:\$env:COMPUTERNAME-PIN.txt
Wow, thank you for supporting the article even till now Dan. I’ve got two comments.
1. I’m thinking of using PDQdeploy or SCCM to push this PIN change to all users in the environment so I guess I’ll go through all the steps mentioned apart from steps 1,2 and 3.
or
2. Turn off bitlocker for every device and then go through all the steps you mentioned but I think I’ll go with method 1 instead.