deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

tabbed xp

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-03 09:35:45 -04:00
parent 5b2de5391d
commit 5629f3c984
5 changed files with 74 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
windows/security/operating-system-security/data-protection/bitlocker/configure.md
View File

@ -37,15 +37,6 @@ For the operating system volume the **BitLocker Drive Encryption Wizard** presen
1. When the **BitLocker Drive Encryption Wizard** first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
|Requirement|Description|
|--- |--- |
|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
|Hardware TPM|TPM version 1.2 or 2.0. <br><br> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
|UEFI firmware/BIOS configuration|<ul><li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li> <li> The firmware must be able to read from a USB flash drive during startup.</li></ul>|
|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped.
@ -231,10 +222,6 @@ manage-bde.exe -protectors -add -pw C:
manage-bde.exe -on C:
```
## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
## Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
@ -257,31 +244,6 @@ The drive security window displays prior to changing the volume status. Selectin
Once BitLocker protector activation is completed, the completion notice is displayed.
### Checking BitLocker status with `manage-bde.exe`
Administrators who prefer a command-line interface can utilize `manage-bde.exe` to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, `manage-bde.exe` can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
To check the status of a volume using `manage-bde.exe`, use the following command:
```powershell
manage-bde.exe -status <volume>
```
> [!NOTE]
> If no volume letter is associated with the -status command, all volumes on the computer display their status.
### Checking BitLocker status with Windows PowerShell
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like `manage-bde.exe`, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
```powershell
Get-BitLockerVolume <volume> -Verbose | fl
```
This command displays information about the encryption method, volume type, key protectors, and more.
### Provisioning BitLocker during operating system deployment
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.

BIN
windows/security/operating-system-security/data-protection/bitlocker/images/cmd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 626 B

BIN
windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/operating-system-security/data-protection/bitlocker/images/powershell.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

117
windows/security/operating-system-security/data-protection/bitlocker/manage.md
View File

@ -13,6 +13,79 @@ BitLocker drive encryption tools include the two command-line tools *manage-bde.
The tools can be used to perform any tasks that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
#### [:::image type="icon" source="images/powershell.png"::: **Intune**](#tab/powershell)
Similar to manage-bde, the PowerShell cmdlets allow configuration beyond the options offered in the control panel. A good initial step is to determine the current state of the volume(s) on the computer. For example, to determine the current state of a volume you can use the `Get-BitLockerVolume` cmdlet, which provides information on the volume type, protectors, protection status, and other details.
```powershell
PS C:\> Get-BitLockerVolume C: | fl
ComputerName : DESKTOP
MountPoint : C:
EncryptionMethod : XtsAes128
AutoUnlockEnabled :
AutoUnlockKeyStored : False
MetadataVersion : 2
VolumeStatus : FullyEncrypted
ProtectionStatus : On
LockStatus : Unlocked
EncryptionPercentage : 100
WipePercentage : 0
VolumeType : OperatingSystem
CapacityGB : 1000
KeyProtector : {Tpm, RecoveryPassword}
```
To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed.
The following commands return the list of key protectors and GUIDS:
```PowerShell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
$keyprotectors
```
By using this information, the key protector for a specific volume can be removed using the command:
```powershell
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
> [!NOTE]
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
#### [:::image type="icon" source="images/cmd.png"::: **Intune**](#tab/cmd)
```cmd
C:\>manage-bde -status
Volume C: [Local Disk]
[OS Volume]
Size: 1000 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
```
#### [:::image type="icon" source="images/locked-drive.svg"::: **Intune**](#tab/controlpanel)
---
## Manage-bde
Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.
@ -25,13 +98,9 @@ Listed below are examples of basic valid commands for operating system volumes.
A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
```cmd
manage-bde.exe -status
```
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
![Using manage-bde to check encryption status.](images/manage-bde-status.png)
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume.
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process.
@ -127,45 +196,7 @@ The BitLocker PowerShell module enables administrators to integrate BitLocker op
- `Suspend-BitLocker`
- `Unlock-BitLocker`
Similar to manage-bde, the PowerShell cmdlets allow configuration beyond the options offered in the control panel. A good initial step is to determine the current state of the volume(s) on the computer. For example, to determine the current state of a volume you can use the `Get-BitLockerVolume` cmdlet, which provides information on the volume type, protectors, protection status, and other details.
```powershell
PS C:\> Get-BitLockerVolume C: | fl
ComputerName : DESKTOP
MountPoint : C:
EncryptionMethod : XtsAes128
AutoUnlockEnabled :
AutoUnlockKeyStored : False
MetadataVersion : 2
VolumeStatus : FullyEncrypted
ProtectionStatus : On
LockStatus : Unlocked
EncryptionPercentage : 100
WipePercentage : 0
VolumeType : OperatingSystem
CapacityGB : 1000
KeyProtector : {Tpm, RecoveryPassword}
```
To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed.
The following commands return the list of key protectors and GUIDS:
```PowerShell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
$keyprotectors
```
By using this information, the key protector for a specific volume can be removed using the command:
```powershell
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
> [!NOTE]
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
### Using the BitLocker Windows PowerShell cmdlets with operating system volumes