Gérer Bitlocker

######################################################################################################
###### Mise en place sur W2K12  #############################################################################
######################################################################################################
Install Bitlocker :
-------------------
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools
Restart-computer

Manage Bitlocker :
------------------
Enabling BitLocker on a computer without a TPM chip.

Before beginning the encryption process you must create 
the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the 
operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key 
(in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete 
the encryption process :

manage-bde –protectors -add C: -startupkey E:

manage-bde -on C:

After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
 
An alternative to the startup key protector on non-TPM hardware is to use a password and an ADaccountorgroup protector
to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:

manage-bde -protectors -add C: -pw -sid <user or group>   (nb: User or group must have local admistrators privileges)

Ex : manage-bde -protectors -add C: -pw -sid YourDomain\Username

This command will require you to enter and then confirm the password protector before adding them to the volume.
With the protectors enabled on the volume, you can then turn BitLocker on.
On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde.
The command to do this is:

manage-bde -on C:

This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, 
to list the protectors available for a volume, run the following command:

manage-bde -protectors -get <volume>
​

​​Retour...

######################################################################################################
###### Scénario complet sur un poste client Windows 7 #############################################################
######################################################################################################


###################################################################################################################
#
###################################################################################################################
#
#
# REDACTOR : Patrice GUILLOUX - EMAIL : PGUILLOUX@OUTLOOK.COM
#
#
# GOAL : command lines to activate bitlocker
#
#
######################################################################################################
# Launch a command prompt in administrator mode
#
# First, set the TPM (if present on your computer) to take ownership for the encrypting your datas
# Ignore this steps if you don't have a TPM in the computer
manage-bde -tpm -takeownership P@ssword1
#
# Activate Bitlocker and specify to set recovery password 
# If you don't have activate a TPM above, you need to adapt this command line to provide a Recovery Password
manage-bde -on c: -recoverypassword
#
# Verify that Bitlocker is activated
manage-bde -status
manage-bde -protectors -get C:
# A message should have say that you need to reboot the laptop in order to encryption to start
shutdown -r -t 00
#
# ... Wait the reboot .....then open your session, lauch a command prompt in administrator mode and proceed like below ...
#
# Display the numerical password
manage-bde -protectors -get C:
#
# If you want to save the recovery password to Active Directory, type the following command :
manage-bde -protectors -adbackup c: -Id {numerical password ID get from preceeding command}
#
# Verify the progression of encryption until it achieve 100%
manage-bde -status
#
#
#
######################################################################################################

​​Retour...