I'm to automate the bitlocker for our laptops. Therefore we don't use tpm for bitlocker but a extended pincode, we use a combination of a hardcoded standard key and a device-related number. This is given by:
$result = (Get-CimInstance win32_bios).SerialNumber -replace '\D' -replace '\d*(?=\d{4}$)'
$SecString = 'Co.de,' + $result.PadLeft(4, '0')
If I'm testing it by write-host, this procedure works so far.
Now I'm trying to convert this to a SecureString:
$SecureString = ConvertTo-SecureString $SecString -AsPlainText -Force
and use it as bitlocker-pin:
Enable-BitLocker -MountPoint "C:" -Pin $SecureString
(The recovery key is automatically stored in the computer account container of the AD; forced by gpo. If the encryption is started manually the storage of the recovery key works.)
Unfortunately the $SecureString doesn't work:
Error: "System.String" cannot converted to "System.Security.SecureString".
+ Enable-BitLocker -MountPoint "C:" -Pin $SecureString
+ ~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Enable-BitLocker], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Enable-BitLocke
Maybe somebody has an idea what's wrong here?
