GPO and Enable-BitLocker Commands

LogoEnable-BitLocker - PowerShell Command | PDQadmarsenal

Create the GPO :

Dont worry about the powershell in this link just how to create a GPO

LogoEnable Bitlocker Automatically using Group Policy Object - Tech Help for Non-ProfitsTech Help for Non-Profits - Providing the Technology expertise Non-Profits need.

Create power-shell:

# Check if BitLocker is already enabled
$checkBitLocker = Get-BitLockerVolume -MountPoint "C"
if ($checkBitLocker.ProtectionStatus -eq "On") {
    Write-Output "⚠️ BitLocker is already enabled on C:. Exiting script."
    Exit
}

Start-Sleep -Seconds 8

# Enable BitLocker without creating a new key
Enable-BitLocker -MountPoint C: -SkipHardwareTest -RecoveryPasswordProtector

Write-Output "✅ BitLocker has been enabled. GPO will handle key backup to AD."

How it works

  1. Add device to the group you linked the GPO since this is a computer policy not a user policy

  2. Make sure the device sees the GPO, may need to restart the machine if filtered 

gpresult /r

  1. run script (just enables bit-locker, the GPO can not)

    1. Check if bit-locker is already installed

    2. sleeps for 8 sec

    3. Enable bit-locker without creating a new key, the GPO

  2. When bit-locker is turned on it looks for the device in active directory and sends the key to the device object to save.

To find the key

  1. Log in to your Domain Controller and click on Users and Computers

  2. Search for Computers then the name

  3. You will see a bitlocker tab, if not go to the main user and computers page and click on view then advanced view

PreviousFind Windows 11 Compatible DevicesNextNetworking

Last updated