The cmdlet stores the password as the RecoveryPassword field of the KeyProtector attribute of the BitLocker volume object. If you choose recovery password as your key protector but do not specify a 48-digit recovery password, this cmdlet creates a random 48-bit recovery password. This cmdlet returns a BitLocker volume object. You can use secure strings in a script and still maintain confidentiality of passwords. You can use the ConvertTo-SecureString cmdlet to create a secure string. You can specify only one of these methods or combinations when you enable encryption, but you can use the Add-BitLockerKeyProtector cmdlet to add other protectors.įor a password or PIN key protector, specify a secure string. Active Directory Domain Services(AD�DS). BitLocker uses a recovery key stored as a specified file. BitLocker uses input from of a USB memory device that contains the external key. BitLocker uses a combination of the TPM and input from of a USB memory device. BitLocker uses a combination of the TPM, a user-supplied PIN, and input from of a USB memory device that contains an external key. A PIN is four to twenty digits or, if you allow enhanced PINs, is four to twenty letters, symbols, spaces, or numbers. BitLocker uses a combination of the TPM and a user-supplied PIN. TPM and Personal Identification Number (PIN). In general, TPM-based protectors can only be associated to an operating system volume. If you select this key protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM and system boot integrity is intact. BitLocker uses the computer's TPM to protect the encryption key. You can use one of the following methods or combinations of methods for a key protector: BitLocker decrypts the encryption key and uses it to read data from the drive. For example, the user can enter a PIN or provide a USB drive that contains a key. When a user accesses a BitLocker encrypted drive, such as when starting a computer, BitLocker requests the relevant key protector. BitLocker uses a key protector to encrypt the volume encryption key. For the encryption method, you can choose either Advanced Encryption Standard (AES) algorithms AES-128 or AES-256, or you can use hardware encryption, if it is supported by the disk hardware.
You can specify a volume by drive letter or by specifying a BitLocker volume object. When you enable encryption, you must specify a volume and an encryption method for that volume. The Enable-BitLocker cmdlet enables BitLocker Drive Encryption for a volume.
Enable-BitLocker -AdAccountOrGroupProtector * Enable-BitLocker ] -PasswordProtector * Enable-BitLocker ] -TpmAndPinProtector * Enable-BitLocker ] -TpmAndPinAndStartupKeyProtector * Enable-BitLocker -RecoveryKeyProtector * Enable-BitLocker ] -RecoveryPasswordProtector * Enable-BitLocker -StartupKeyProtector * Enable-BitLocker -TpmAndStartupKeyProtector * Enable-BitLocker -TpmProtector *