diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.png b/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.png index 55fd5b43ff..c410cfa5d4 100644 Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.png and b/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.png differ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.png b/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.png index 9c014536ca..11738f23f7 100644 Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.png and b/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.png differ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/manage.md b/windows/security/operating-system-security/data-protection/bitlocker/manage.md index 589ee40f59..32556403ff 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/manage.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/manage.md @@ -1,13 +1,13 @@ --- -title: How to use the BitLocker drive encryption tools to manage BitLocker -description: Learn how to use tools to manage BitLocker. +title: Manage BitLocker in your organization +description: Learn how to use different tools to manage BitLocker in your organization. ms.collection: - tier1 ms.topic: how-to ms.date: 07/25/2023 --- -# How to use the BitLocker drive encryption tools to manage BitLocker +# Manage BitLocker in your organization BitLocker drive encryption tools include the two command-line tools *manage-bde.exe* and *repair-bde.exe*, and the BitLocker PowerShell module. @@ -16,7 +16,7 @@ The tools can be used to perform any tasks that can be accomplished through the Follow the instructions below to configure your devices, selecting the option that best suits your needs. -#### [:::image type="icon" source="images/powershell.png"::: **Intune**](#tab/powershell) +#### [:::image type="icon" source="images/powershell.png"::: **PowerShell**](#tab/powershell) Similar to manage-bde, the PowerShell cmdlets allow configuration beyond the options offered in the control panel. A good initial step is to determine the current state of the volume(s) on the computer. For example, to determine the current state of a volume you can use the `Get-BitLockerVolume` cmdlet, which provides information on the volume type, protectors, protection status, and other details. @@ -58,7 +58,7 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" > [!NOTE] > The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. -#### [:::image type="icon" source="images/cmd.png"::: **Intune**](#tab/cmd) +#### [:::image type="icon" source="images/cmd.png"::: **cmd**](#tab/cmd) ```cmd C:\>manage-bde -status @@ -79,13 +79,10 @@ Volume C: [Local Disk] Numerical Password ``` - -#### [:::image type="icon" source="images/locked-drive.svg"::: **Intune**](#tab/controlpanel) +#### [:::image type="icon" source="images/locked-drive.svg"::: **Settings**](#tab/controlpanel) --- - - ## Manage-bde Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference. @@ -132,7 +129,25 @@ The above command encrypts the drive using the TPM as the default protector. If manage-bde.exe -protectors -get ``` -### Using manage-bde with data volumes +## Manage data volumes + +Follow the instructions below to configure your devices, selecting the option that best suits your needs. + +#### [:::image type="icon" source="images/powershell.png"::: **PowerShell**](#tab/powershell) + +Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a +SecureString value to store the user-defined password. + +```powershell +$pw = Read-Host -AsSecureString + +Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw +``` + +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. + +#### [:::image type="icon" source="images/cmd.png"::: **cmd**](#tab/cmd) Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: @@ -147,6 +162,10 @@ manage-bde.exe -protectors -add -pw C: manage-bde.exe -on C: ``` +#### [:::image type="icon" source="images/locked-drive.svg"::: **Settings**](#tab/controlpanel) + +--- + ## BitLocker Repair Tool Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly. @@ -214,17 +233,6 @@ In the example below, adds one additional protector, the StartupKey protector an Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` -### Using the BitLocker Windows PowerShell cmdlets with data volumes - -Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a -SecureString value to store the user-defined password. - -```powershell -$pw = Read-Host -AsSecureString - -Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw -``` - ### Using an SID-based protector in Windows PowerShell The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.