Bitlocker:通过 cmd 和 GPO 加密所有计算机
[英]Bitlocker: Encrypted all computers by cmd and GPO
问题描述
I have to join a lot of computers to a new domain and I would like to enable bitlocker in all computers domain.
我必须将很多计算机加入一个新域,并且我想在所有计算机域中启用 bitlocker。 I want to create a GPO and, when I join a new computer to the domain, bitlocker was enable automatically.我想创建一个 GPO,当我将一台新计算机加入域时,bitlocker 自动启用。 The solution that I found is to create a script to do it, and the create a GPO to deploy this script and see if the GPO works.我找到的解决方案是创建一个脚本来执行此操作,然后创建一个 GPO 来部署此脚本并查看 GPO 是否有效。 I tested this script and works perfectly:我测试了这个脚本并且完美运行:
$CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {
C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest
}
But I want to add the password of the bitlocker and the recovery password, but I am not able to do it.但是我想添加bitlocker的密码和恢复密码,但是我做不到。 I tried with these modifications, but it doesn't work and i have a mistake when i launch it:我尝试了这些修改,但它不起作用,我在启动它时出错:
Try with password
用密码试试$pass = ConvertTo-SecureString "Password" -AsPlainText -Force $CdriveStatus = Get-BitLockerVolume -MountPoint 'c:' if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') { C:\\Windows\\System32\\manage-bde.exe -on c: -password $pass -recoverypassword -skiphardwaretest }
$pass = ConvertTo-SecureString "Password" -AsPlainText -Force $CdriveStatus = Get-BitLockerVolume -MountPoint 'c:' if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') { C:\\Windows\\System32\\manage-bde.exe -on c: -password $pass -recoverypassword -skiphardwaretest }Try with PIN
用 PIN 码试试$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force Enable-BitLocker -MountPoint c: -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtectorTry with password
用密码试试$pass = ConvertTo-SecureString Passw0rd -AsPlainText -Force Enable-BitLocker -MountPoint c:\\ -EncryptionMethod Aes128 -Password $pass -PasswordProtector
$pass = ConvertTo-SecureString Passw0rd -AsPlainText -Force Enable-BitLocker -MountPoint c:\\ -EncryptionMethod Aes128 -Password $pass -PasswordProtector
Could you be so kind to help me, please?请你能帮我一下好吗? Thank so much.非常感谢。
1 个解决方案
解决方案1
0 2021-10-14 09:53:45
• Please check whether the recovery key information GPO has 128-bit key selected as you are using in one of your commands. • 请检查恢复密钥信息 GPO 是否在您的命令之一中选择了 128 位密钥。 If not, ensure the same.如果没有,请确保相同。
• The third command that you posted has some mistakes in it, if you attempt to correct them as below, then maybe they can run and execute during domain joining process: - • 您发布的第三个命令有一些错误,如果您尝试按以下方式更正它们,那么它们可能会在域加入过程中运行和执行:-
‘ $CdriveStatus = Get-BitLockerVolume -MountPoint 'C:'
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted')
{ $SecureString = ConvertTo-SecureString "Passw0rd" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -
Password $SecureString -PasswordProtector -SkipHardwareTest } ‘
The above tested command will start the encryption process on the OS, ie, C: drive as soon as the system domain joins, and all the required GPOs are applied and updated on it.上面测试的命令将在系统域加入后立即启动操作系统(即 C: 驱动器)上的加密过程,并在其上应用和更新所有必需的 GPO。 Also, ensure that in the bitlocker GPO, allow encryption without TPM is enabled because, bitlocker encryption cannot be started for without TPM devices unless we disable the 'Allow encryption with TPM only' flag in Windows registry which can be done through GPO only.此外,请确保在 bitlocker GPO 中启用了允许无 TPM 加密,因为没有 TPM 设备无法启动 bitlocker 加密,除非我们禁用 Windows 注册表中的“仅允许使用 TPM 加密”标志,这只能通过 GPO 完成。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.