bitlocker swiss army knifeI am sure you more less all know by now that I work in Switzerland. What an amazing country i have to say! The mountains, the chocolate, the watches, the nature, and… their awesome army knifes.

These knifes are really super cool! They combine so many different funtionalities in one, and it is so small that you can carry it everywhere with you! While camping, hiking etc…

It is super handy! Need to open a can?
–> Use the swiss army knife.
Went out for a lunch in the park with your girl friend/boy friend and need to open the bottle of Bordeaux Saint-emilion you specially bought for the occasion?
–> Use the Swiss army knife.
Need to fix your shirt fastly before attending this job interview?
–> again, Swiss army knife!


You got it, you can do everything with it :) But what does all of that have to do with PowerShell ?
Well, I have recently been developing a powershell script for bitlocker remediation purposes. The knowledge I build from it, made me realize that nothing really existed in powershell to manage the bitlocker parts.


[stextbox id=”note”]BitlockerSAK could be seen as a full powershell equivalent of manage-bde.exe [/stextbox]

I decided to create a powershell bitlocker encryption tool that gives any admin / system engineer to manage the bitlocker encryption and TPM settings from a machine. The powershell bitlocker encryption tool function aka “BitlockerSAK“.

The BitlockerSAK function is a big Swiss army knife that is extremely helpful to manage Powershell Bitlocker encryption / remediation automation for Windows systems (especially prior to Windows 8.1). It contains all the functionality that you would expect to be there to help you manage your bitlocker environment.

Download powershell BitlockerSAK:

BitlockerSAK is free, and is available for download on Technet. Once downloaded, please think to rate the script by clicking the stars, and do not hesitate to give me feedback concerning the tool.

[stextbox id=”note”]Rember that this function is in continuous improvement process. Bug fixes and new features will come often, but all of this depends on your valuable feedback. Contact me through twitter  at @stephanevg , on the Technet comment section right here, or by commenting directly at the end of this article for bug fixes or new feature requests.[/stextbox]
[stextbox id=”download”]Get the BitlockerSAK now by clicking on the Microsoft Technet download link right here (and don’t forget to rate it  if you like it;)[/stextbox]

What can the powershell bitlocker Swiss army knife concretely do?


This powershell bitlocker encryption tool “BitlockerSAK” will enable the automation of the bitlocker encryption and TPM operations that need to be done on Microsoft Windows (R) machines through PowerShell.

The following actions can be done with with BitlockerSAK:

  • Identify if the TPM is activated.
  • Identify if the TPM is enabled.
  • Identify it the TPM is owned.
  • Identify if the TPM ownership is allowed.
  • Get the current bitlocker protection status.
  • Start the bitlocker drive encryption. (with Pin).
  • Resume a bitlocker encryption that is in paused state.
  • Return the current bitlocker encryption percentage of the drive.
  • Return the bitlocker key protector id’s of the machine.
  • Return the encryption method of the encrypted drive.
  • Return the Key protector methods.

Help and examples can be easily found by using the integrated help system.

How does the PowerShell Bitlocker SAK work?

The windows powershell Bitlocker SAK tool is based on 3 different technologies: Powershell bitlocker wmi.
The combination of Powershell bitlocker and WMI brings us the possibility to manage the complete bitlocker and TPM activities using a simple windows powershell tool; BitlockerSAK.

As mentioned above, the BitlockerSAK does not work only for Powershell and bitlocker, but you can also use BitlockerSAK to work on the different TPM actions. Indeed, using the same combination as for bitlocker (powershell tpm wmi), bitlockerSAK will allow you to manage your TPM with powershell just like you would have done with manageBDE.exe.

Powershell bitlocker wmi, Powershell tpm wmi are the key features of the BitlockerSAK.

BitlockerSAK usage examples:

How to get the current Bitlocker encryption status with Powershell?


Simply call the BitlockerSAK function without any parameter, and it will return an object that with the current encryption status:

Bitlocker status with Powershell and BitlockerSAK

BitlockerSAK returns an object which can be integrated into existing script logic to identify and force the encryption.


How to remediate bitlocker drives that are not encrypted?


It is possible to use the BitlockerSAK in logic in order to remediate non-encrypted bitlocker drives. Here under you can see an example:

BitlockerSAK help and integrated examples:


In order to get more information on the bitlocker capabilities with powershell, use : Get-help Get-bitlockerInfo

Get-help BitlockerSAK


More help can be found using the following command:

To see examples of the powershell bitlocker encryption function bitlockerSAK, type this:

Download the bitlocker Swiss army knife:


The powershell bitlocker tool can be downloaded directly from Technet, or it can be copy pasted from the listing below.

[stextbox id=”download”]The Microsoft Technet download link is right here (and don’t forget to rate it 😉 )[/stextbox]



The listing of the latest version of the BitlockerSAK is available here below. You can copy past this function directly into one of your scripts or module and start using it.


By | 2016-10-19T21:00:18+00:00 January 17th, 2014|Bitlocker, Functions, Header, PowerShell, WMI|21 Comments

About the Author:

Stéphane is a dynamic and passionate Cloud and datacenter Microsoft MVP since. He is the founder of the Basel PowerShell user Group (BPUG), the co-founder of the French Speaking PowerShell UserGroup (FRPSUG), author, blogger, and received the community award "PowerShell Hero" from Stéphane has implemented microsoft infrastructure solutions in various countries of Europe and is currently working in Basel / Switzerland. Stéphane help his clients to reduce their global infrastructure costs by implementing Microsft infrastructure solutions by combining great products such as System Center, Windows Server, with heavy automation using Windows PowerShell. Stéphane loves languages, Belgium beer, French cheese and French Wine. If any of these topics are of your interest, don't hesitate to come and say hi.


  1. 6d8bdaf3 July 10, 2017 at 3:22 pm - Reply

    EDIT to script – Insert below line 347 to get values for newer encryption methods.
    ‘6’{$Return = ‘AES-XTS 128bit’;break}
    ‘7’{$Return = ‘AES-XTS 256bit’;break}

  2. Richard Reyes November 7, 2016 at 7:55 pm - Reply

    Name Value
    —- —–
    PSVersion 5.0.10586.63
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
    BuildVersion 10.0.10586.63
    CLRVersion 4.0.30319.42000
    WSManStackVersion 3.0
    PSRemotingProtocolVersion 2.3

  3. Richard Reyes September 28, 2016 at 9:56 pm - Reply

    The Values returned for KeyProtectorType “UNKNOWN” and EncryptionMethod “6” “NONE” seem to be wrong when compared with manage-bde -status. Even when I try the WMI query by hand, the results are wrong, even the looks to be wrong or backwards. I’ve tested this on 2 different WIn10 ENT computers

    • svangulick September 29, 2016 at 6:50 pm - Reply

      Hi Richard,

      On which version of windows are you running it on?
      what version of POwerShell ? ($psversiontable)

      • Richard Reyes November 7, 2016 at 7:54 pm - Reply

        Windows 10, PSVersion: 5.0.10586.63

  4. Karel Martens August 29, 2016 at 12:23 pm - Reply

    Hi, I’m running w10 anniversary ed. and the tool doesn’t do anything when launching it .\BitlockerSAK
    any ideas?

  5. George Potwin June 16, 2016 at 5:04 pm - Reply

    How can I use this pulling from a .txt file that has a list of systems in it?

  6. Paddy May 12, 2016 at 11:07 am - Reply

    Hi Ben,

    If I use BitlockerSAK to help me acheive encrypting 10 PC’s with the same Complex Pin and TPM will the recover key for all 10 PC’S be the same or a unique recover key generated for each even though the complex pin will be the same for all 10 pc’s?

  7. Jeremy Saunders February 22, 2016 at 4:32 am - Reply

    Hi Stephane,

    It’s a wonderful script.

    It’s worth noting that it requires PowerShell 3.0. The script/function fails under PowerShell 2.0. It wasn’t obvious to me at first.

    Also, could you document how you integrated it into a SCCM Configuration Item when you have a chance?


  8. Rob Sexton January 7, 2016 at 2:16 pm - Reply

    Is there a command that can show me the status of Bitlocker encryption from a list of multiple clients?

    • Stephane January 7, 2016 at 2:21 pm - Reply

      You could put all your computers into an array, and query all of them using the bitlockersak and a simple foreach

    • Stephane January 11, 2016 at 3:09 pm - Reply

      Not yet, but i am working on it 😉

  9. Morten Andersen August 26, 2015 at 9:44 am - Reply

    Hi Stephane. This looks awesome, have you written a guide on how to use it with Configuration Manager?

    • Stephane August 26, 2015 at 2:53 pm - Reply

      Hi Morten,

      Thanks for the nice words. No i havent actually, but you should find some basic help using: get-help .\bitlockersak

  10. […] lot of the following script examples come from a function I wrote called BitLockerSAK. It is a tool written in Windows PowerShell that makes BitLocker tasks easier to […]

  11. alvin Huff March 10, 2015 at 5:28 pm - Reply

    Is your function usable with SCCM 2012 or is this meant to target individual machines?



    • Stephane March 19, 2015 at 6:07 pm - Reply

      Hello Alvin,

      It can be used for both purposes. I have used before on Individual computers and also implemented it in configuration Manager using Configuration Items in order to check and remediate non encrypted clients.


  12. […] powershell bitlocker encryption tool: Swiss Army Knife […]

  13. […] Powershell Bitlocker encryption / remediation with the Bitlocker Swiss Army Knife […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: