Managing Bitlocker using Powershell

If you ever built an Application with sensitive data hosted in your DMZ you might have considered encrypting the data drive. Chances also are you’re using a virtual machine to host your application.

>skip the blah, give me the scripts!<

While the preferred option would be to use the encryption capabilities built into the latest version of Hyper-v and using a virtual TPM  you might not want the extra hassles. Especially when you are using the Hyper-V replication capabilities to build a DR farm, getting the vTPM working across servers can be a major headache.

So here are some simple lines of powershell goodness you can use to enable BitLocker on a guest without needing a TPM (using a password). The only catch: when you reboot the vm, you need to manually enter the password to unlock the drive. Why Powershell? Well, since there is no GUI on Windows Server 2016 Core, and Core is by now the default install for Windows Server, need I say more?

First, add Bitlocker to the VM, then reboot the VM

Install-WindowsFeature Bitlocker

Next, enable the use of Bitlocker without a TPM, by making some registry changes

New-Item HKLM:SOFTWARE/Policies/Microsoft/FVE
Set-Location HKLM:SOFTWARE/Policies/Microsoft
Set-ItemProperty FVE -Name UseAdvancedStartup -Value 1
Set-ItemProperty FVE -Name EnableBDEWithNoTPM -Value 1

Finally, enable and activate the encryption. In the below example I tell the command to encrypt the d drive with a simple password and to generate the recoverypassword for me. Make sure you keep that recovery password in a safe place!

The last line activates encryption, but only on the existing data, not the whole volume. Important, when using dynamically expanding vhdx disks.

manage-bde -protectors -add d: -password -recoverypassword
manage-bde -on d: -usedspaceonly

If you need more advanced options or want to store the key in AD, I recommend using Enable-Bitlocker to configure the drive.

oh, and before I forget, the command to unlock the drive after a reboot is

manage-bde -unlock d: -password

followed by the top secret password of yours.

scripts can also be downloaded from:


Leave a Reply

Your email address will not be published. Required fields are marked *