Question:
How can I write a script that remotely triggers BitLocker encryption and requires a password on reboot?
I am using CW Automate to run scripts on Windows machines that are lost or stolen. I want the script to enable BitLocker (which is already installed) on the C: drive and then restart the machine. This should force the user to enter the BitLocker password on a blue screen before accessing Windows.
However, when I run the following commands:
manage-bde -protectors -enable C:
shutdown /r /t 0
The machine reboots without asking for the BitLocker password. It seems that the manage-bde command does not work as expected.
Is there a way to fix this issue or an alternative method to achieve the same goal of locking down a computer remotely?
“`
Answer:
How to remotely lock down a Windows machine with BitLocker
BitLocker is a feature in Windows that encrypts your hard drive and protects your data from unauthorized access. If your Windows machine is lost or stolen, you may want to remotely trigger BitLocker encryption and require a password on reboot. This way, you can prevent anyone from accessing your files or tampering with your system.
One way to do this is to use CW Automate, a tool that allows you to run scripts on remote machines. You can write a script that enables BitLocker on the C: drive and then restarts the machine. This should prompt the user to enter the BitLocker password on a blue screen before booting into Windows.
However, some users have reported that this method does not work as expected. They have used the following commands in their script:
manage-bde -protectors -enable C:
shutdown /r /t 0
But the machine reboots without asking for the BitLocker password. It seems that the manage-bde command does not enable BitLocker properly.
The reason why this method fails is that the manage-bde command does not actually encrypt the drive. It only enables the BitLocker protectors, which are the mechanisms that secure the encryption key. The protectors include things like a password, a PIN, a recovery key, or a TPM (Trusted Platform Module).
When you run the manage-bde command, you are only telling BitLocker to use the protectors that are already configured on the drive. But if the drive is not encrypted yet, the protectors have no effect. The machine will reboot normally without asking for the BitLocker password.
How to fix it?
To fix this issue, you need to make sure that the drive is encrypted before enabling the protectors. You can do this by using the -on switch in the manage-bde command. This will start the encryption process and lock the drive. Then, you can use the -protectors switch to enable the protectors and require a password on reboot.
Here is an example of a script that does this:
manage-bde -on C: -rp
manage-bde -protectors -enable C:
shutdown /r /t 0
The first line starts the encryption and generates a recovery key. You can use the -rp switch to display the recovery key on the screen, or use the -rk switch to save it to a file or a USB drive. You will need the recovery key in case you forget the BitLocker password or encounter any problems.
The second line enables the protectors on the drive. By default, this will use the TPM protector if your machine has one. If not, you will need to specify another protector, such as a password or a PIN. You can use the -pw or -tp switch to do this. For example:
manage-bde -protectors -add C: -pw
This will prompt you to enter a password for the drive. You can also use the -tp switch to enter a PIN instead.
The third line restarts the machine. This will trigger the BitLocker password prompt on the blue screen. You will need to enter the password or the PIN that you have set up, or use the recovery key if you have one.
Conclusion
This article has shown you how to remotely lock down a Windows machine with BitLocker using CW Automate. You have learned how to encrypt the drive, enable the protectors, and require a password on reboot. This can help you secure your data and prevent unauthorized access in case your machine is lost or stolen.
“`
Leave a Reply