Differences

This shows you the differences between two versions of the page.

--- computing:security:windows_bitlocker [2021/05/13 11:29]
gcooper
+++ computing:security:windows_bitlocker [2021/05/13 14:38] (current)
gcooper
@@ Line 8: / Line 8: @@
 Bitlocker has been available since Windows Vista but only in Professional and Enterprise versions.
+===== Control Panel =====
+{{ :computing:security:bitlocker_control_panel.png?direct&650 |Bitlocker Control Panel Applet}}
 ===== CLI =====
@@ Line 19: / Line 23: @@
 Get-BitlockerVolume -MountPoint "E:"
 </file>
-{{ :computing:security:bitlocker_control_panel.png?direct&650 |Bitlocker Control Panel Applet}}
 ==== Enable Bitlocker ====
 :!: These commands will allow you to specify a startup key on most any drive, not just USB drives.
+:!: The ''-usedspaceonly'' switch is needed for thinly provisioned storage.
 Add protectors and encrypt drive C:
 <file>
-manage-bde -protectors -add C: -recoverypassword --startupkey E:
+manage-bde -protectors -add C: -recoverypassword -password -startupkey E:
-manage-bde -protectors -add C: -password
+manage-bde -status
-manage-bde -on C:
+manage-bde -on C: -usedspaceonly
 </file>
@@ Line 46: / Line 50: @@
 When enabling Bitlocker it will check to see if your computer has TPM.  If not, it will throw a message that you can use Bitlocker without it but need to change a Local Group Policy.
-  - In the Windows 10 Search box type gpedit.msc and press Enter to start the Local Group Policy Editor.
+  - In the Windows 10 Search box type ''gpedit.msc'' and press Enter to start the Local Group Policy Editor.
-  - Go to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives.
+  - Go to **Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives**.
-  - In the right-hand pane double-click Require additional authentication at startup.
+  - In the right-hand pane double-click **Require additional authentication at startup**.
-  - Check the Enabled radio button and make sure that the box Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box is checked. Then click OK.
+  - Check the **Enabled** radio button and make sure that the box **Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)** box is checked. Then click OK.
 ===== Enable Bitlocker =====
@@ Line 86: / Line 90: @@
 ====== Active Directory ======
+<note tip>Use ''adsiedit.msc'' to delete keys from AD if they are no longer needed.</note>
 {{ :computing:security:bitlocker_ad_1.png?direct&600|Bitlocker Info Stored in AD}}
@@ Line 102: / Line 108: @@
 https://www.experts-exchange.com/articles/33289/How-to-create-a-file-based-bitlocker-protector-for-recovery-and-support-purposes.html
+<file>
+Import-module ActiveDirectory
+Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like 'ms-FVE-*'}
+Get-ADComputer 'some-computer-name'| Get-ADObject -properties * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated
+</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools