From 9e45ddf83c44c119fb578f3e283913eb933e5a49 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 4 Oct 2023 08:01:46 -0400 Subject: [PATCH] updates --- .../data-protection/bitlocker/manage.md | 570 +++++++++--------- 1 file changed, 283 insertions(+), 287 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/manage.md b/windows/security/operating-system-security/data-protection/bitlocker/manage.md index df02a95dec..692b35f2c0 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/manage.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/manage.md @@ -1,169 +1,24 @@ --- -title: Manage BitLocker in your organization -description: Learn how to use different tools to manage BitLocker in your organization. +title: BitLocker common operations +description: Learn how to use different tools to operate BitLocker in your organization. ms.collection: - tier1 ms.topic: how-to ms.date: 07/25/2023 --- -# Manage BitLocker in your organization +# BitLocker common operations -BitLocker drive encryption tools include the two command-line tools *manage-bde.exe* and *repair-bde.exe*, and the BitLocker PowerShell module. +There are differnt tools and options to operate BitLocker: -The tools can be used to perform any tasks that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios. +- the BitLocker drive encryption tools include the two command-line tools *manage-bde.exe* and *repair-bde.exe* +- the BitLocker PowerShell module +- Control Panel -Follow the instructions below to configure your devices, selecting the option that best suits your needs. +The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker control panel. They are appropriate to use for automated deployments and other scripting scenarios. -#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) +Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference. Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. -Similar to manage-bde, the PowerShell cmdlets allow configuration beyond the options offered in the control panel. A good initial step is to determine the current state of the volume(s) on the computer. For example, to determine the current state of a volume you can use the `Get-BitLockerVolume` cmdlet, which provides information on the volume type, protectors, protection status, and other details. - -```powershell -PS C:\> Get-BitLockerVolume C: | fl - -ComputerName : DESKTOP -MountPoint : C: -EncryptionMethod : XtsAes128 -AutoUnlockEnabled : -AutoUnlockKeyStored : False -MetadataVersion : 2 -VolumeStatus : FullyEncrypted -ProtectionStatus : On -LockStatus : Unlocked -EncryptionPercentage : 100 -WipePercentage : 0 -VolumeType : OperatingSystem -CapacityGB : 1000 -KeyProtector : {Tpm, RecoveryPassword} -``` - -To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed. - -The following commands return the list of key protectors and GUIDS: - -```PowerShell -$vol = Get-BitLockerVolume -$keyprotectors = $vol.KeyProtector -$keyprotectors -``` - -By using this information, the key protector for a specific volume can be removed using the command: - -```powershell -Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" -``` - -> [!NOTE] -> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. - -#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) - -```cmd -C:\>manage-bde -status - -Volume C: [Local Disk] -[OS Volume] - - Size: 1000 GB - BitLocker Version: 2.0 - Conversion Status: Used Space Only Encrypted - Percentage Encrypted: 100.0% - Encryption Method: XTS-AES 128 - Protection Status: Protection On - Lock Status: Unlocked - Identification Field: Unknown - Key Protectors: - TPM - Numerical Password -``` - -#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) - ---- - -## Manage-bde - -Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference. - -Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. - -### Using manage-bde with - -## Manage operating system volumes - - -Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume. - -A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status: - -This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume. - -The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process. - -```cmd -manage-bde.exe -protectors -add C: -startupkey E: -manage-bde.exe -on C: -``` - -> [!NOTE] -> After the encryption is completed, the USB startup key must be inserted before the operating system can be started. - -An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command: - -```cmd -manage-bde.exe -protectors -add C: -pw -sid -``` - -The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on. - -On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command: - -```cmd -manage-bde.exe -on C: -``` - -The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command: - -```cmd - manage-bde.exe -protectors -get -``` - -## Manage data volumes - -Follow the instructions below to configure your devices, selecting the option that best suits your needs. - -#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) - -Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a -SecureString value to store the user-defined password. - -```powershell -$pw = Read-Host -AsSecureString - -Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw -``` - -> [!NOTE] -> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. - -#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) - -Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: - -`manage-bde.exe -on ` - -or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume. - -A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on. - -```cmd -manage-bde.exe -protectors -add -pw C: -manage-bde.exe -on C: -``` -#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) - ---- ## BitLocker Repair Tool @@ -197,6 +52,9 @@ For more information about using repair-bde, see [Repair-bde](/previous-versions ## BitLocker PowerShell module +Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. + + The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. Here's a lists of the cmdlets included in the BitLocker PowerShell module: - `Add-BitLockerKeyProtector` @@ -216,111 +74,59 @@ The BitLocker PowerShell module enables administrators to integrate BitLocker op -### Using the BitLocker Windows PowerShell cmdlets with operating system volumes -Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell. +## Using BitLocker to encrypt volumes -The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: +BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. -```powershell -Enable-BitLocker C: -``` - -In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. - -```powershell -Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest -``` - -### Using an SID-based protector in Windows PowerShell - -The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster. - -> [!WARNING] -> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes. - -To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G. - -```powershell -Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator -``` - -For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: - -```powershell -Get-ADUser -filter {samaccountname -eq "administrator"} -``` +If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. > [!NOTE] -> Use of this command requires the RSAT-AD-PowerShell feature. - -> [!TIP] -> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features. - -In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: - -```powershell -Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" -``` - -> [!NOTE] -> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes. +> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. -### Decrypt volumes +`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) +`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command. + +Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. -Decryption with Windows PowerShell cmdlets is straightforward, similar to `manage-bde.exe`. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. +## Provisioning BitLocker during operating system deployment -Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. -```powershell -Disable-BitLocker -``` - -If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: - -```powershell -Disable-BitLocker -MountPoint E:,F:,G: -``` - - -#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) - - -Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: - -```powershell -manage-bde.exe -off C: -``` - -This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command: - -```powershell -manage-bde.exe -status C: -``` - -#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) - -BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process. -After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel. - -The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. - -Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption. - ---- ## Check BitLocker status +Follow the instructions below verify the status of BitLocker, selecting the option that best suits your needs. + To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section. - #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) +To determine the current state of a volume you can use the `Get-BitLockerVolume` cmdlet, which provides information on the volume type, protectors, protection status, and other details. For example: + +```powershell +PS C:\> Get-BitLockerVolume C: | fl + +ComputerName : DESKTOP +MountPoint : C: +EncryptionMethod : XtsAes128 +AutoUnlockEnabled : +AutoUnlockKeyStored : False +MetadataVersion : 2 +VolumeStatus : FullyEncrypted +ProtectionStatus : On +LockStatus : Unlocked +EncryptionPercentage : 100 +WipePercentage : 0 +VolumeType : OperatingSystem +CapacityGB : 1000 +KeyProtector : {Tpm, RecoveryPassword} +``` + #### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) @@ -328,8 +134,26 @@ A good practice when using `manage-bde.exe` is to determine the volume status on `manage-bde.exe -status` -This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment. +This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment. +```cmd +C:\>manage-bde -status + +Volume C: [Local Disk] +[OS Volume] + + Size: 1000 GB + BitLocker Version: 2.0 + Conversion Status: Used Space Only Encrypted + Percentage Encrypted: 100.0% + Encryption Method: XTS-AES 128 + Protection Status: Protection On + Lock Status: Unlocked + Identification Field: Unknown + Key Protectors: + TPM + Numerical Password +``` #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) @@ -349,13 +173,28 @@ The drive security window displays prior to changing the volume status. Selectin Once BitLocker protector activation is completed, the completion notice is displayed. - --- -## Encrypt volumes + + + + + +## Enable BitLocker #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) +The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: + +```powershell +Enable-BitLocker C: +``` + +In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. + +```powershell +Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest +``` #### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) @@ -415,44 +254,10 @@ manage-bde.exe -protectors -add -pw C: manage-bde.exe -on C: ``` -#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) ---- - - - -## Using BitLocker to encrypt volumes - -BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. - -If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. - -> [!NOTE] -> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. - -BitLocker encryption can be enabled and managed using the following methods: - -- BitLocker control panel -- Windows Explorer -- `manage-bde.exe` command-line interface -- BitLocker Windows PowerShell cmdlets - - -#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) - - -#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) - -`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). - -`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command. - -Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -### Encrypting volumes using the BitLocker control panel - Encrypting volumes with the BitLocker control panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume). @@ -573,34 +378,102 @@ Users can verify whether the recovery key was saved properly by checking OneDriv ### Using BitLocker within Windows Explorer Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. + + --- -## Template + + + + + + + + + + + + + + + + + + + +## Manage BitLocker protectors + +Follow the instructions below manage BitLocker protectors, selecting the option that best suits your needs. #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) +To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed. -#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) +The following commands return the list of key protectors and GUIDS: + +```PowerShell +$vol = Get-BitLockerVolume C: +$keyprotectors = $vol.KeyProtector +$keyprotectors +``` + +By using this information, the key protector for a specific volume can be removed using the command: + +```powershell +Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" +``` + +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. + +Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a +SecureString value to store the user-defined password. + +```powershell +$pw = Read-Host -AsSecureString + +Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw +``` + +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. -#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) ---- +The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster. +> [!WARNING] +> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes. -### Provisioning BitLocker during operating system deployment +To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G. -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. +```powershell +Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator +``` -### Decrypting BitLocker volumes +For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, `manage-bde.exe`, or Windows PowerShell cmdlets. We'll discuss each method further below. +```powershell +Get-ADUser -filter {samaccountname -eq "administrator"} +``` +> [!NOTE] +> Use of this command requires the RSAT-AD-PowerShell feature. -## PowerShell examples to move +> [!TIP] +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features. -For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD. +In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: + +```powershell +Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" +``` + +> [!NOTE] +> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes. + +For Azure AD-joined computers, the recovery password should be stored in Azure AD. **Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* @@ -638,4 +511,127 @@ Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Tp $SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector -``` \ No newline at end of file +``` + + +#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) + +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume. + +The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process. + +```cmd +manage-bde.exe -protectors -add C: -startupkey E: +manage-bde.exe -on C: +``` + +> [!NOTE] +> After the encryption is completed, the USB startup key must be inserted before the operating system can be started. + +An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command: + +```cmd +manage-bde.exe -protectors -add C: -pw -sid +``` + +The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on. + +On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command: + +```cmd +manage-bde.exe -on C: +``` + +The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command: + +```cmd + manage-bde.exe -protectors -get +``` + + +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: + +`manage-bde.exe -on ` + +or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume. + +A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on. + +```cmd +manage-bde.exe -protectors -add -pw C: +manage-bde.exe -on C: +``` + + +#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) +--- + + + + + + + +### Decrypt volumes + +Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required, and not as a troubleshooting step. + +#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) + + +Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. + +Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: + +```powershell +Disable-BitLocker +``` + +If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: + +```powershell +Disable-BitLocker -MountPoint E:,F:,G: +``` + + +#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) + +Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: + +```powershell +manage-bde.exe -off C: +``` + +This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command: + +```powershell +manage-bde.exe -status C: +``` + +#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) + +BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process. +After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel. + +The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. + +Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption. + +--- + + +