Update: while the code below was tested extensively and can work, it does not always work. When enabling BitLocker for the first time, many PCs automatically run a hardware test and/or make changes to the disk partition. In those scenarios this code will not work without modification. The downside of testing on the same PC multiple times is that sometimes environment requirements have already been set that you make take for granted!

Turning on Bitlocker and saving the key file with a script shouldn’t be too much to ask right? What if we want to use a file name for the key file that includes the key protector id, similar to the way that Windows saves and names the key file in the GUI? We can do that!

Bitlocker is one of the things that cannot be build-in to a system image as each encrypted drive has a uniquie identifier. Therefore, useing a script to enable Bitlocker can save some time.

First we need to map a drive to the location we want to save the key file.

net use k: \\fileserver\bitlockerkeys

Next, turn on Bitlocker on the C:\ drive. The “-recoverykey K:\ -recoverypassword” in thie command is required, but doesn’t seem to do anything. It’s not ouputing the key file.

manage-bde -on C: -recoverykey K:\ -recoverypassword

If you want to save the key file similar to how Windows names it in the GUI with the KeyProtectorID in the filename, then we need to parse some stings with PowerShell. This will set a variable named $key_info containing the KeyProtectorID.

$key_info = (Get-BitLockerVolume -MountPoint c: | Select-Object -ExpandProperty KeyProtector)[1].KeyProtectorID
$key_info = $key_info.Substring(0,$key_info.Length-1).Substring(1)

We’ll name the key file with this format: “computername_KeyProtectorID.txt.” Set another variable for the filename.

$keyfile_name=($env:computername)+"_"+$key_info+".txt"

And finally, use this command to get the KeyProtector (ID and password) and output to the K:\ drive. Let’s also write the hostname and date to that same file.

echo (hostname) > K:\$keyfile_name
echo (Get-Date) >> K:\$keyfile_name
(Get-BitLockerVolume -MountPoint c: | Select-Object -ExpandProperty KeyProtector)[1] >> K:\$keyfile_name

enable_bitlocker.ps1