I have a script that is supposed to enable Bitlocker on a windows device. This is the script I have so far.
# Define the length of the random string
$length = 48
# Define the character set
$characters = '1234567890'
# Create a random string
$randomString = -join ((1..$length) | ForEach-Object { Get-Random -Maximum $characters.length | ForEach-Object { $characters[$_] } })
# Output the random string
Write-Host "Random String: $randomString"
#Convert to a SecureString variable
$SecureString = ConvertTo-SecureString $randomString -AsPlainText -Force
# Output the random string
Write-Host "Secure String: $SecureString"
# Specify the drive letter
$drive = "C:"
# Turn on BitLocker for the drive
Enable-BitLocker -MountPoint $drive -RecoveryPasswordProtector -RecoveryPassword $SecureString -EncryptionMethod XtsAes128 -UsedSpaceOnly -SkipHardwareTest
According to the Microsoft documentation, -RecoveryPassword should generate its own value if used with -RecoveryPasswordProtector, but thats not working for me.
-RecoveryPassword Specifies a recovery password. If you do not specify this parameter, but you do include the RecoveryPasswordProtector parameter, the cmdlet creates a random password. You can enter a 48-digit password. The password specified or created acts as a protector for the volume encryption key.
Link to Microsoft Documentation
Also, due to existing group policy settings (which I have no control over) I have to use -RecoveryPasswordProtector, as opposed to any of the other options.
When I run the script, I get the following error:
PS C:\Temp> & '.\Enable Bitlocker.ps1'
Random String: 965827285728398492106062495600759349012636829500
Secure String: System.Security.SecureString
Add-RecoveryPasswordProtectorInternal : The format of the recovery password provided is invalid. BitLocker recovery
passwords are 48 digits. Verify that the recovery password is in the correct format and then try again. (Exception
from HRESULT: 0x80310035)
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3675 char:36
+ ... $nResult = Add-RecoveryPasswordProtectorInternal $MountPoint[$i] $Re ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-RecoveryPasswordProtectorInternal
Enable-BitLockerInternal : Group Policy settings require that a recovery password be specified before encrypting the
drive. (Exception from HRESULT: 0x8031002C)
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:3738 char:48
+ ... eInternal = Enable-BitLockerInternal -MountPoint $BitLockerVolumeInte ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Enable-BitLockerInternal
I have tried various different methods of inputting the -RecoveryPassword string.
- As in the code above, having a 48 character numerical string generated, then converted to a secure string and added as a variable.
- skipping the random string and just inputting a 48 character numerical string into the convert to secure string section.
- Skipping the convert to secure string and just using the random string
- Not using the random string or convert to secure string and just inputting the 48 character numerical string directly as the value for -RecoveryPassword
- Trying to put [square brackets] around the -RecoveryPassword parameter, as it shows in the example from the Microsoft Documentation:
Enable-BitLocker
[-MountPoint] <String[]>
-RecoveryPasswordProtector
[[-RecoveryPassword] <String>][-EncryptionMethod <BitLockerVolumeEncryptionMethodOnEnable>]
[-HardwareEncryption][-SkipHardwareTest]
[-UsedSpaceOnly]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
-RecoveryPassword
expects aString
, but you are passing aSecureString
.If you are generating a random password anyway, why don't you let it generate by the cmdlet itself? Just specify the
-RecoveryPasswordProtector
parameter and omit the-RecoveryPassword
parameter.