BitLocker Encryption via Powershell – BitLocker waiting for activation

  activation, bitlocker, encryption, powershell, windows

I am trying to enable BitLocker on all of our devices using Powershell. We do not have an AD environment and most computers don’t have an external place to store keys. Our RMM service, however, does have a way to escrow keys once the encryption is enabled.

Here is the Powershell script I am using:

#Check BitLocker prerequisites
$TPMNotEnabled = Get-WmiObject win32_tpm -Namespace rootcimv2securitymicrosofttpm | where {$_.IsEnabled_InitialValue -eq $false} -ErrorAction SilentlyContinue
$TPMEnabled = Get-WmiObject win32_tpm -Namespace rootcimv2securitymicrosofttpm | where {$_.IsEnabled_InitialValue -eq $true} -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
$BitLockerDecrypted = Get-BitLockerVolume -MountPoint $env:SystemDrive | where {$_.VolumeStatus -eq "FullyDecrypted"} -ErrorAction SilentlyContinue

#Step 1 - Check if TPM is enabled and initialise if required
if ($WindowsVer -and !$TPMNotEnabled) 
Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue

#Step 2 - Check if BitLocker volume is provisioned and partition system drive for BitLocker if required
if ($WindowsVer -and $TPMEnabled -and !$BitLockerReadyDrive) 
Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue
BdeHdCfg -target $env:SystemDrive shrink -quiet

#Step 3 - If all prerequisites are met, then enable BitLocker
if ($WindowsVer -and $TPMEnabled -and $BitLockerReadyDrive -and $BitLockerDecrypted) 
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector
Enable-BitLocker -MountPoint C: -SkipHardwareTest -RecoveryKeyPath "'$env:UserProfile'DesktopBitlLocker_Recovery_Key.txt" -RecoveryKeyProtector -ErrorAction SilentlyContinue

(Get-BitLockerVolume -MountPoint C).KeyProtector > "$env:UserProfileDesktopBitLocker_Recovery_Key.txt"

When I run the script on a device, the .txt file is placed on the Desktop with no content, and in the BitLocker settings it is set to a "BitLocker waiting for activation" state.

The drive in Disk Management is also stating the drive is encrypted, but I have no key and our RMM is showing a "Pending" state for our BitLocker key.

Any help is appreciated, really want to know how to make a working script out of this.


Source: Windows Questions