Bitlocker: Encrypted all computers by cmd and GPO

Question

I have to join a lot of computers to a new domain and I would like to enable bitlocker in all computers domain. I want to create a GPO and, when I join a new computer to the domain, bitlocker was enable automatically. The solution that I found is to create a script to do it, and the create a GPO to deploy this script and see if the GPO works. I tested this script and works perfectly:

$CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {
    C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest
}

But I want to add the password of the bitlocker and the recovery password, but I am not able to do it. I tried with these modifications, but it doesn't work and i have a mistake when i launch it:

1. Try with password

   $pass = ConvertTo-SecureString "Password" -AsPlainText -Force $CdriveStatus = Get-BitLockerVolume -MountPoint 'c:' if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') { C:\\Windows\\System32\\manage-bde.exe -on c: -password $pass -recoverypassword -skiphardwaretest }

2. Try with PIN

   $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

3. Try with password

   $pass = ConvertTo-SecureString Passw0rd -AsPlainText -Force Enable-BitLocker -MountPoint c:\\ -EncryptionMethod Aes128 -Password $pass -PasswordProtector

Could you be so kind to help me, please? Thank so much.

Answer 1

• Please check whether the recovery key information GPO has 128-bit key selected as you are using in one of your commands. If not, ensure the same.

• The third command that you posted has some mistakes in it, if you attempt to correct them as below, then maybe they can run and execute during domain joining process: -

    ‘ $CdriveStatus = Get-BitLockerVolume -MountPoint 'C:'
     if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted')
     { $SecureString = ConvertTo-SecureString "Passw0rd" -AsPlainText -Force
     Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly - 
     Password $SecureString -PasswordProtector -SkipHardwareTest } ‘

The above tested command will start the encryption process on the OS, ie, C: drive as soon as the system domain joins, and all the required GPOs are applied and updated on it. Also, ensure that in the bitlocker GPO, allow encryption without TPM is enabled because, bitlocker encryption cannot be started for without TPM devices unless we disable the 'Allow encryption with TPM only' flag in Windows registry which can be done through GPO only.