GPO and Enable-BitLocker Commands

Enable-BitLocker - PowerShell Command | PDQadmarsenal

Create the GPO :

Dont worry about the powershell in this link just how to create a GPO

Enable Bitlocker Automatically using Group Policy Object - Tech Help for Non-ProfitsTech Help for Non-Profits - Providing the Technology expertise Non-Profits need.

Create power-shell:

# Check if BitLocker is already enabled
$checkBitLocker = Get-BitLockerVolume -MountPoint "C"
if ($checkBitLocker.ProtectionStatus -eq "On") {
    Write-Output "⚠️ BitLocker is already enabled on C:. Exiting script."
    Exit
}

Start-Sleep -Seconds 8

# Enable BitLocker without creating a new key
Enable-BitLocker -MountPoint C: -SkipHardwareTest -RecoveryPasswordProtector

Write-Output "✅ BitLocker has been enabled. GPO will handle key backup to AD."

How it works

Add device to the group you linked the GPO since this is a computer policy not a user policy
Make sure the device sees the GPO, may need to restart the machine if filtered

gpresult /r

run script (just enables bit-locker, the GPO can not)
1. Check if bit-locker is already installed
2. sleeps for 8 sec
3. Enable bit-locker without creating a new key, the GPO
When bit-locker is turned on it looks for the device in active directory and sends the key to the device object to save.

To find the key

Log in to your Domain Controller and click on Users and Computers
Search for Computers then the name
You will see a bitlocker tab, if not go to the main user and computers page and click on view then advanced view

PreviousFind Windows 11 Compatible Devices NextNetworking

Last updated 3 months ago

hashtagCreate the GPO :

hashtagCreate power-shell:

hashtagHow it works

hashtagTo find the key

Create the GPO :

Create power-shell:

How it works

To find the key