Enable encryption for a BitLocker volume.
Syntax
Enable-BitLocker [-MountPoint] String[] -AdAccountOrGroupProtector [-AdAccountOrGroup] String
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-Service] [-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[] -PasswordProtector [[-Password] SecureString]
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[] -TpmAndPinProtector [[-Pin] SecureString]
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[]
-TpmAndPinAndStartupKeyProtector [-StartupKeyPath] String [[-Pin] SecureString]
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[] -RecoveryKeyProtector [-RecoveryKeyPath] String
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[] -RecoveryPasswordProtector [[-RecoveryPassword] String]
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable]
[-HardwareEncryption] [-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[] -StartupKeyProtector [-StartupKeyPath] String
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[]-TpmAndStartupKeyProtector [-StartupKeyPath] String
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Enable-BitLocker [-MountPoint] String[] -TpmProtector
[-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable] [-HardwareEncryption]
[-SkipHardwareTest] [-UsedSpaceOnly]
[-Confirm] [-WhatIf] [CommonParameters]
Key
-AdAccountOrGroup String
An account using the format Domain\User.
This cmdlet adds the account you specify as a key protector for the volume encryption key.
-AdAccountOrGroupProtector
Indicate that BitLocker uses an AD DS account as a protector for the volume encryption key.
-EncryptionMethod BitLockerVolumeEncryptionMethodOnEnable
An encryption method for the encrypted drive. The acceptable values for this parameter are:
-- Aes128
-- Aes256
-HardwareEncryption
Indicates that the volume uses hardware encryption.
-MountPoint String[]
An array of drive letters or BitLocker volume objects. This cmdlet enables protection
for the volumes specified. To obtain a BitLocker volume object, use Get-BitLockerVolume.
-Password SecureString
A secure string object that contains a password. The password acts as a protector for the
volume encryption key.
-PasswordProtector
Indicates that BitLocker uses a password as a protector for the volume encryption key.
-Pin SecureString
A secure string object that contains a PIN. BitLocker uses the PIN specified, with other
data, as a protector for the volume encryption key.
-RecoveryKeyPath String
A path to a recovery key. The key stored in the specified path acts as a protector for the
volume encryption key.
-RecoveryKeyProtector
Indicates that BitLocker uses a recovery key as a protector for the volume encryption key.
-RecoveryPassword String
A recovery password. If you do not specify this parameter, but you do include the
RecoveryPasswordProtector parameter, the cmdlet creates a random password. You can enter
a 48 digit password. The password acts as a protector for the volume encryption key.
-RecoveryPasswordProtector
Indicates that BitLocker uses a recovery password as a protector for the volume encryption key.
-Service
Indicates that the system account for this computer unlocks the encrypted volume.
-SkipHardwareTest
Indicates that BitLocker does not perform a hardware test before it begins encryption.
BitLocker uses a hardware test as a dry run to make sure that all the key protectors are
correctly set up and that the computer can start without issues.
-StartupKeyPath String
A path to a startup key. The key stored in the specified path acts as a protector for the
volume encryption key.
-StartupKeyProtector
Indicates that BitLocker uses a startup key as a protector for the volume encryption key.
-TpmAndPinAndStartupKeyProtector
Indicates that BitLocker uses a combination of the TPM, a PIN, and a startup key as a protector
for the volume encryption key.
-TpmAndPinProtector
Indicates that BitLocker uses a combination of the TPM and a PIN as a protector for
the volume encryption key.
-TpmAndStartupKeyProtector
Indicates that BitLocker uses a combination of the TPM and a startup key as a protector
for the volume encryption key.
-TpmProtector
Indicates that BitLocker uses the TPM as a protector for the volume encryption key.
-UsedSpaceOnly
Indicates that BitLocker does not encrypt disk space which contains unused data.
-Confirm
Prompt for confirmation before running the cmdlet.
-WhatIf
Show what would happen if the cmdlet runs. The cmdlet is not run.
Standard Aliases for Enable-BitLocker: none, but if you want to add a short alias like ebl, set it with set-alias
The Enable-BitLocker cmdlet enables BitLocker Drive Encryption for a volume. When you enable encryption, you must specify a volume and an encryption method for that volume. You can specify a volume by drive letter or by specifying a BitLocker volume object. For the encryption method, you can choose either Advanced Encryption Standard (AES) algorithms AES-128 or AES-256, or you can use hardware encryption, if it is supported by the disk hardware.
Windows 10 Home Edition does not include BitLocker.
Home edition does support Device Encryption, provided the hardware can support this (e.g. has a TPM chip) it also requires either signing in with a Microsoft account or joining the PC to a domain, this enables the encryption key to be saved to another device / OneDrive. Other than the lack of managability, Device Encryption is technically the same as the full Bitlocker Encryption available on Windows Professional.
You must also establish a key protector. BitLocker uses a key protector to encrypt the volume encryption key. When a user accesses a BitLocker encrypted drive, such as when starting a computer, BitLocker requests the relevant key protector. For example, the user can enter a PIN or provide a USB drive that contains a key. BitLocker decrypts the encryption key and uses it to read data from the drive. You can use one of the following methods or combinations of methods for a key protector:
You can specify only one of these methods or combinations when you enable encryption, but you can use the Add-BitLockerKeyProtector cmdlet to add other protectors. For a password or PIN key protector, specify a secure string. You can use the ConvertTo-SecureString cmdlet to create a secure string. You can use secure strings in a script and still maintain confidentiality of passwords.
This cmdlet returns a BitLocker volume object. If you choose recovery password as your key protector but do not specify a 48-digit recovery password, this cmdlet creates a random 48-bit recovery password. The cmdlet stores the password as the RecoveryPassword field of the KeyProtector attribute of the BitLocker volume object.
If you use startup key or recovery key as part of your key protector, provide a path to store the key. This cmdlet stores the name of the file that contains the key in the KeyFileName field of the KeyProtector field in the BitLocker volume object.
If you use the Enable-BitLocker cmdlet on an encrypted volume or on a volume that with encryption in process, it takes no action. If you use the cmdlet on a drive that has encryption paused, it resumes encryption on the volume.
By default, this cmdlet encrypts the entire drive. If you use the UsedSpaceOnly parameter, it only encrypts the used space in the disk. This option can significant reduce encryption time.
It is common practice to add a recovery password to an Operating System volume by using the Add-BitLockerKeyProtector cmdlet, and then save the recovery password by using the Backup-BitLockerKeyProtector cmdlet, and then enable BitLocker for the drive. This procedure ensures that you have a recovery option.
An overview of BitLocker Drive Encryption.
This cmdlet was introduced in Windows PowerShell 5.0.
Enable BitLocker using the TPM and a PIN for key protector:
PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 –UsedSpaceOnly -Pin $SecureString
-TPMandPinProtector–UsedSpaceOnly will encrypt the used space data on the disk, instead of the entire volume. When the system writes data to the volume in the future, that data is encrypted.
Show the effect of using the -Compress parameter of ConvertTo-Json. The compression affects only the appearance of the string, not its validity:
PS C:\> @{Account="User64";Domain="windevclusterdom";Admin="True"} | ConvertTo-Json -Compress {"Admin":"True","Account":"User64","Domain":"windevclusterdom"}
Enable BitLocker with a specified recovery key as a key protector:
PS C:\> Get-BitLockerVolume | Enable-BitLocker -EncryptionMethod Aes128 -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector
Enable BitLocker with a specified user account:
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes128 -AdAccountOrGroup "windevclusterdom\AshleyMcKee" -AdAccountOrGroupProtector
“The psychic task which a person can and must set for himself is not to feel secure, but to be able to tolerate insecurity” ~ Erich Fromm
Enable-BitLockerAutoUnlock - Enable automatic unlocking for a BitLocker volume.
Get-BitLockerVolume - Get information about volumes BitLocker can protect.
Add-BitLockerKeyProtector - Add a key protector for a BitLocker volume.
Suspend-BitLocker - Suspend Bitlocker encryption for the specified volume.
Manage-BDE - Manage BitLocker Drive Encryption.
OneDrive: Recover BitLocker keys
BitLocker Drive Encryption Service - Services