Enable BitLockerAutoUnlock - PowerShell

Overview

Enable-BitLockerAutoUnlock enables automatic unlocking of BitLocker-protected drives for joined Active Directory domain members using the built-in TPM (Trusted Platform Module). It simplifies the user experience by eliminating the need for manual drive unlocking, improving security and convenience.

Syntax

Enable-BitLockerAutoUnlock [-MountPoint] <String[]> [-AuthenticationPassword] <SecureString> [-RecoveryPassword] <SecureString> [-ChangePin] [-Pin] <String> [-EnableRecoveryPassword] [-RecoveryKeyFile] <String> [-UsbKeySlot] <Int32> [-KeyPackageId] <Guid> [-ForceMigration]

Options/Flags

  • -MountPoint: Specifies the mount point of the drive to enable automatic unlocking for. Accepts an array of mount points.
  • -AuthenticationPassword: A secure string representing the authentication password for the user.
  • -RecoveryPassword: A secure string representing the recovery password.
  • -ChangePin: If specified, prompts the user to change their PIN.
  • -Pin: Sets the new PIN for the user.
  • -EnableRecoveryPassword: Enables the creation of a recovery password for the user.
  • -RecoveryKeyFile: Path to the recovery key file to store the recovery password.
  • -UsbKeySlot: Slot number of the USB key to use for automatic unlocking.
  • -KeyPackageId: GUID of the key package to use for automatic unlocking.
  • -ForceMigration: Forces the migration of existing BitLocker keys to the Auto-Unlock mode.

Examples

Enable automatic unlocking for a specific drive:

Enable-BitLockerAutoUnlock -MountPoint "C:"

Enable automatic unlocking with a recovery password:

Enable-BitLockerAutoUnlock -MountPoint "D:" -EnableRecoveryPassword -RecoveryKeyFile "C:\recovery.key"

Enable automatic unlocking with a USB key:

Enable-BitLockerAutoUnlock -MountPoint "E:" -UsbKeySlot 3

Common Issues

  • Ensure that the user is joined to an Active Directory domain and has TPM enabled.
  • Verify that the specified mount points are BitLocker-protected.
  • If prompted, enter the correct authentication password or recovery password.

Integration

With Get-BitLockerVolume:

$volumes = Get-BitLockerVolume
Enable-BitLockerAutoUnlock -MountPoint ($volumes | Select-Object -ExpandProperty MountPoint)

With New-BitLockerKeyProtector:

New-BitLockerKeyProtector -MountPoint "C:" -KeyPackageId {e249fb68-a230-432d-922b-7d4b104819b3}
Enable-BitLockerAutoUnlock -MountPoint "C:"
  • Disable-BitLockerAutoUnlock: Disables automatic unlocking for BitLocker-protected drives.
  • Get-BitLockerVolume: Retrieves information about BitLocker-protected volumes.