Turn on BITLOCKER with a GPO

Marshall 11 Reputation points

Hi all,
I would need to turn on Bitlocker with a GPO.
I've created a policy where I've added the ps1 below to the startup:

 $CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'  
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {  
    C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest  

but it only works when I run it by opening powershell locally and "as administrator"

this is the error that I receive when not running as administrator:


any suggestions?
Thank you very much

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,917 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,055 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Limitless Technology 39,461 Reputation points

    Hello Marshall

    I do it in a different way, using purely group policy

    1.Go to Group Policy Editor in "gpedit.msc"
    2.Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
    3.n the right pane, double-click "Require additional authentication at startup"
    4.Make sure the "Enabled" option is chosen so that all other options below will be active.
    5.Uncheck the box for "Allow BitLocker without a compatible TPM."
    6.For the choice of "Configure TPM startup:", choose "Allow TPM."
    7.For the choice of "Configure TPM startup PIN:", choose "Require startup PIN with TPM."
    8.For the choice of "Configure TPM startup key:", choose "Allow startup key with TPM."
    9.For the choice of "Configure TPM startup key and PIN:", choose "Allow startup key and PIN with TPM."
    10. Click the "Apply" button and then the "OK" button to save the changes.

    Hope this helps in your case,

    Best regards,

    1 person found this answer helpful.

  2. Marshall 11 Reputation points

    Hi LimitLess,
    thanks for you reply!
    I created a policy with your instructions but unfortunately the bitlocker it's still not applied:


    any suggestions ?

    Thanks you very much

    Best regards

    0 comments No comments

  3. MTG 1,201 Reputation points

    GPOs alone cannot encrypt (unless you have MBAM).
    See my article. It uses a GPO to start it scripted: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html?preview=hG26jVC1xow%3D

    0 comments No comments

  4. Francois Jacobs 1 Reputation point


    i have BitLocker turned on but it keeps asking me for a password when i startup
    is there a way to turn it on without the need to enter a password with every startup?