Differences

This shows you the differences between two versions of the page.

--- computing:security:windows_bitlocker [2021/04/29 11:45]
gcooper
+++ computing:security:windows_bitlocker [2021/05/13 14:38] (current)
gcooper
@@ Line 9: / Line 9: @@
 Bitlocker has been available since Windows Vista but only in Professional and Enterprise versions.
-Show Bitlocker info:
+===== Control Panel =====
+{{ :computing:security:bitlocker_control_panel.png?direct&650 |Bitlocker Control Panel Applet}}
+===== CLI =====
+==== Show Bitlocker Info ====
 <file>
+manage-bde -status
 manage-bde -protectors -get e:
 Get-BitLockerVolume
+Get-BitlockerVolume -MountPoint "E:"
 </file>
-{{ :computing:security:bitlocker_control_panel.png?direct&650 |Bitlocker Control Panel Applet}}
+==== Enable Bitlocker ====
+:!: These commands will allow you to specify a startup key on most any drive, not just USB drives.
+:!: The ''-usedspaceonly'' switch is needed for thinly provisioned storage.
+Add protectors and encrypt drive C:
+<file>
+manage-bde -protectors -add C: -recoverypassword -password -startupkey E:
+manage-bde -status
+manage-bde -on C: -usedspaceonly
+</file>
+==== Manage Bitlocker ====
+Delete a protector:
+<file>
+manage-bde -protectors -delete c: -id {Protector-ID}
+</file>
 ===== Bitlocker without TPM (Trusted Platform Module) =====
@@ Line 23: / Line 50: @@
 When enabling Bitlocker it will check to see if your computer has TPM.  If not, it will throw a message that you can use Bitlocker without it but need to change a Local Group Policy.
-  - In the Windows 10 Search box type gpedit.msc and press Enter to start the Local Group Policy Editor.
+  - In the Windows 10 Search box type ''gpedit.msc'' and press Enter to start the Local Group Policy Editor.
-  - Go to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives.
+  - Go to **Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives**.
-  - In the right-hand pane double-click Require additional authentication at startup.
+  - In the right-hand pane double-click **Require additional authentication at startup**.
-  - Check the Enabled radio button and make sure that the box Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box is checked. Then click OK.
+  - Check the **Enabled** radio button and make sure that the box **Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)** box is checked. Then click OK.
 ===== Enable Bitlocker =====
@@ Line 63: / Line 90: @@
 ====== Active Directory ======
+<note tip>Use ''adsiedit.msc'' to delete keys from AD if they are no longer needed.</note>
 {{ :computing:security:bitlocker_ad_1.png?direct&600|Bitlocker Info Stored in AD}}
-**Docs**: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings
+**Group Policy Settings**: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings
 https://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/
@@ Line 77: / Line 106: @@
 https://techdirectarchive.com/2020/12/30/backup-bitlocker-recovery-keys-to-ad-how-to-enable-bitlocker-via-the-local-group-policy-editor-and-the-group-policy-management-console-2/
+https://www.experts-exchange.com/articles/33289/How-to-create-a-file-based-bitlocker-protector-for-recovery-and-support-purposes.html
+<file>
+Import-module ActiveDirectory
+Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}
+Get-ADComputer 'some-computer-name'| Get-ADObject -properties * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated
+</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools