deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-11 13:17:35 -04:00
parent 84324327ba
commit b81334e2d9
1 changed files with 53 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
View File

@ -102,8 +102,17 @@ If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activati
---
## Enable BitLocker
### OS drive with TPM protector
The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
@ -112,12 +121,27 @@ The following example shows how to enable BitLocker on an operating system drive
Enable-BitLocker C: -TpmProtector
```
---
### OS drive with TPM protector
In the next example, we add one more protector, the *StartupKey* protector, and choose to skip the BitLocker hardware test. Encryption starts immediately without the need for a reboot:
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
```
---
### Data volumes
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the `E:` volume using the variable `$pw` as the password. The `$pw` variable is held as a SecureString value to store the user-defined password:
```powershell
@ -129,11 +153,31 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
> [!NOTE]
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
**Example**: Use PowerShell to enable BitLocker with a TPM protector
```powershell
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
**Example**: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to *123456*:
```powershell
$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker C: -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
---
### Active Directory protector
The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
> [!WARNING]
> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G.
```powershell
@ -152,18 +196,8 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
> [!TIP]
> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features.
**Example**: Use PowerShell to enable BitLocker with a TPM protector
---
```powershell
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
**Example**: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to *123456*:
```powershell
$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
@ -445,7 +479,6 @@ Remove-BitLockerKeyProtector -MountPoint C: -KeyProtectorId "{GUID}"
#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
---
### Backup a recovery password
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)