Generate BitLocker RecoveryID and Password using PowerShell
Use the script below to Generate BitLocker RecoveryID and Password using PowerShell. It uses PowerShell script to enable BitLocker, set a random PIN at startup, and export the necessary information (hostname, BitLocker PIN, recovery ID, and recovery password) to a text file.
Ensure you open PS as administrator, execute the script and the txt will be generated in the specified location.
# Ensure the script runs with administrative privileges
if (!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "You do not have Administrator rights to run this script! Please re-run this script as an Administrator."
exit
}
# Generate a random PIN
$BitlockerPin = Get-Random -Minimum 100000 -Maximum 999999
# Define the drive to encrypt
$Drive = "C:"
# Enable BitLocker with TPM and PIN protector
Enable-BitLocker -MountPoint $Drive -EncryptionMethod Aes256 -TpmAndPinProtector -Pin (ConvertTo-SecureString -String $BitlockerPin -AsPlainText -Force) -UsedSpaceOnly
# Wait for BitLocker to be fully enabled
Start-Sleep -Seconds 10
# Retrieve the BitLocker recovery key
$RecoveryKey = (Get-BitLockerVolume -MountPoint $Drive).KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | Select-Object -ExpandProperty RecoveryPassword
# Retrieve the BitLocker recovery key ID
$RecoveryID = (Get-BitLockerVolume -MountPoint $Drive).KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | Select-Object -ExpandProperty KeyProtectorId
# Get the hostname of the machine
$Hostname = $env:COMPUTERNAME
# Define the path to save the recovery information
$OutputPath = "C:\Temp\$Hostname.txt"
# Export the recovery information to a text file
@"
Hostname: $Hostname
BitLocker PIN: $BitlockerPin
Recovery ID: $RecoveryID
Recovery Password: $RecoveryKey
"@ | Out-File -FilePath $OutputPath -Force
Write-Output "BitLocker has been enabled and the recovery information has been saved to $OutputPath"
Script Logic –
1. Check for Administrative Privileges:
The script checks if it is running with administrative privileges and exits if not.
2. Generate a Random PIN:
A random 6-digit PIN is generated using Get-Random.
3. Enable BitLocker:
The Enable-BitLocker cmdlet is used to enable BitLocker on the specified drive (C:) with TPM and PIN protector. The PIN is converted to a secure string using ConvertTo-SecureString.
4. Retrieve BitLocker Recovery Key and ID:
The Get-BitLockerVolume cmdlet retrieves the BitLocker recovery key and ID.
5. Export Recovery Information:
The hostname, BitLocker PIN, recovery ID, and recovery password are exported to a text file located at D:\Temp\$Hostname.txt.
- Modify Paths as Needed: Adjust the output path ($OutputPath) to a location that suits your environment.
- Error Handling: You may want to add additional error handling to manage potential issues during the BitLocker enablement process.
- Security: Ensure that the exported recovery information is stored securely and access is restricted to authorized personnel only.
By following these steps and using the provided script, you can enable BitLocker on a Windows 10 machine, set a random PIN, and export the necessary recovery information using PowerShell.