Information Technology Reference
In-Depth Information
The actual supporting features that will be added will depend on which features are
already installed on the server. Click Add Features and then click Next.
3.
4.
Click Install to complete the installation. At least one restart is required.
To install BitLocker using Windows PowerShell, use the following command:
Install-WindowsFeature -Name BitLocker -IncludeAllSubFeature `
-IncludeManagementTools -Restart
enabling BitLocker protectors
When enabling BitLocker from the command line, it's a good practice to add BitLocker
protectors prior to enabling BitLocker on a volume. At a minimum, you should add the
recovery password protector to ensure that you have a way to recover if your hardware
changes. Even very small changes can trigger a BitLocker failure. Keep a copy of the recovery
password in a safe place that is accessible in an emergency, but not with the computer you're
trying to protect.
The other protector you should add is the recovery key protector. This protector writes a
recovery key to a USB key, allowing you to recover and boot by inserting the USB key. Keep
this key in a safe place separate from the server it is protecting.
You can add a BitLocker protector with the Add-BitLockerKeyProtector cmdlet or with the
manage-bde.exe command-line utility. You can add only one protector at a time. To add the
recovery password protector with a default, generated, numerical key and add the recovery key
protector to the operating system drive (C:), use the following Windows PowerShell commands:
Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector
Add-BitLockerKeyProtector -MountPoint C: -RecoveryKeyProtector -RecoveryKeyPath <string>
In the second of these commands, <
string
> should be replaced with the path to the USB
key onto which you want to write the recovery key.
To add the same protectors by using the manage-bde command, use the following:
manage-bde -protectors -add C: -RecoveryPassword
manage-bde -protectors -add C: -RecoveryKey <
string
>
The available protectors are as follows:
■
Recovery password
■
Recovery key
■
Startup key
■
Certificate
■
TPM (operating system drive only)
■
Password (data drives only)
■
TPM and pin
