Add-BitLockerKeyProtector
Add-BitLockerKeyProtector
Adds a key protector for a BitLocker volume.
구문
Parameter Set: PasswordProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-Password] <SecureString> ] -PasswordProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: RecoveryKeyProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [-RecoveryKeyPath] <String> -RecoveryKeyProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: RecoveryPasswordProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-RecoveryPassword] <String> ] -RecoveryPasswordProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: SidProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [-ADAccountOrGroup] <String> -ADAccountOrGroupProtector [-Service] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: StartupKeyProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [-StartupKeyPath] <String> -StartupKeyProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: TpmAndPinAndStartupKeyProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [-StartupKeyPath] <String> [[-Pin] <SecureString> ] -TpmAndPinAndStartupKeyProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: TpmAndPinProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-Pin] <SecureString> ] -TpmAndPinProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: TpmAndStartupKeyProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> [-StartupKeyPath] <String> -TpmAndStartupKeyProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: TpmProtector
Add-BitLockerKeyProtector [-MountPoint] <String[]> -TpmProtector [-Confirm] [-WhatIf] [ <CommonParameters>]
자세한 설명
The Add-BitLockerKeyProtector cmdlet adds a protector for the volume key of the volume protected with BitLocker Drive Encryption.
When a user accesses a drive protected by BitLocker, such as when starting a computer, BitLocker requests the relevant key protector. For example, the user can enter a PIN or provide a USB drive that contains a key. BitLocker retrieves the encryption key and uses it to read data from the drive.
You can use one of the following methods or combinations of methods for a key protector:
-- Trusted Platform Module (TPM). BitLocker uses the computer's TPM to protect the encryption key. If you specify this protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM and the system boot integrity is intact. In general, TPM-based protectors can only be associated to an operating system volume.
-- TPM and Personal Identification Number (PIN). BitLocker uses a combination of the TPM and a user-supplied PIN. A PIN is four to twenty digits or, if you allow enhanced PINs, four to twenty letters, symbols, spaces, or numbers.
-- TPM, PIN, and startup key. BitLocker uses a combination of the TPM, a user-supplied PIN, and input from of a USB memory device that contains an external key.
-- TPM and startup key. BitLocker uses a combination of the TPM and input from of a USB memory device.
-- Startup key. BitLocker uses input from of a USB memory device that contains the external key.
-- Password. BitLocker uses a password.
-- Recovery key. BitLocker uses a recovery key stored as a specified file in a USB memory device.
-- Recovery password. BitLocker uses a recovery password.
-- Active Directory 도메인 서비스 (AD DS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector.
You can add only one of these methods or combinations at a time, but you can run this cmdlet more than once on a volume.
Adding a key protector is a single operation; for example, adding a startup key protector to a volume that uses the TPM and PIN combination as a key protector results in two key protectors, not a single key protector that uses TPM, PIN, and startup key. Instead, add a protector that uses TPM, PIN, and startup key and then remove the TPM and PIN protector by using the Remove-BitLockerKeyProtector cmdlet.
For a password or PIN key protector, specify a secure string. You can use the ConvertTo-SecureString cmdlet to create a secure string. You can use secure strings in a script and still maintain confidentiality of passwords.
This cmdlet returns a BitLocker volume object. If you choose recovery password as your key protector but do not specify a 48-digit recovery password, this cmdlet creates a random 48-bit recovery password. The cmdlet stores the password as the RecoveryPassword field of the KeyProtector attribute of the BitLocker volume object.
If you use startup key or recovery key as part of your key protector, provide a path to store the key. This cmdlet stores the name of the file that contains the key in the KeyFileName field of the KeyProtector field in the BitLocker volume object.
For an overview of BitLocker, see BitLocker Drive Encryption Overview (https://technet.microsoft.com/en-us/library/cc732774.aspx) on TechNet.
매개 변수
-ADAccountOrGroup<String>
Specifies an account using the format Domain\User. This cmdlet adds the account you specify as a key protector for the volume encryption key.
별칭 |
sid |
필수 여부 |
true |
위치 |
2 |
기본값 |
없음 |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-ADAccountOrGroupProtector
Indicates that BitLocker uses an AD DS account as a protector for the volume encryption key.
별칭 |
sidp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-MountPoint<String[]>
Specifies an array of drive letters or BitLocker volume objects. This cmdlet adds a key protector to the volumes specified. To obtain a BitLocker volume object, use the Get-BitLockerVolume cmdlet.
별칭 |
없음 |
필수 여부 |
true |
위치 |
1 |
기본값 |
없음 |
파이프라인 입력 적용 여부 |
True (ByValue, ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-Password<SecureString>
Specifies a secure string object that contains a password. The cmdlet adds the password specified as a protector for the volume encryption key.
별칭 |
pw |
필수 여부 |
false |
위치 |
2 |
기본값 |
없음 |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-PasswordProtector
Indicates that BitLocker uses a password as a protector for the volume encryption key.
별칭 |
pwp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-Pin<SecureString>
Specifies a secure string object that contains a PIN. The cmdlet adds the PIN specified, with other data, as a protector for the volume encryption key.
별칭 |
p |
필수 여부 |
false |
위치 |
3 |
기본값 |
없음 |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-RecoveryKeyPath<String>
Specifies a path to a recovery key. This cmdlet adds the recovery key stored in the specified path as a protector for the volume encryption key.
별칭 |
rk |
필수 여부 |
true |
위치 |
2 |
기본값 |
없음 |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-RecoveryKeyProtector
Indicates that BitLocker uses a recovery key as a protector for the volume encryption key.
별칭 |
rkp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-RecoveryPassword<String>
Specifies a recovery password. If you do not specify this parameter, the cmdlet creates a random password. You can enter a 48 digit password. The cmdlet adds the password specified or created as a protector for the volume encryption key.
별칭 |
rp |
필수 여부 |
false |
위치 |
2 |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-RecoveryPasswordProtector
Indicates that BitLocker uses a recovery password as a protector for the volume encryption key.
별칭 |
rpp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-Service
Indicates that the system account for this computer unlocks the encrypted volume.
별칭 |
없음 |
필수 여부 |
false |
위치 |
named |
기본값 |
False |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-StartupKeyPath<String>
Specifies a path to a startup key. The cmdlet adds the key stored in the specified path as a protector for the volume encryption key.
별칭 |
sk |
필수 여부 |
true |
위치 |
2 |
기본값 |
없음 |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-StartupKeyProtector
Indicates that BitLocker uses a startup key as a protector for the volume encryption key.
별칭 |
skp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-TpmAndPinAndStartupKeyProtector
Indicates that BitLocker uses a combination of TPM, a PIN, and a startup key as a protector for the volume encryption key.
별칭 |
tpskp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-TpmAndPinProtector
Indicates that BitLocker uses a combination of TPM and a PIN as a protector for the volume encryption key.
별칭 |
tpp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-TpmAndStartupKeyProtector
Indicates that BitLocker uses a combination of TPM and a startup key as a protector for the volume encryption key.
별칭 |
tskp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-TpmProtector
Indicates that BitLocker uses TPM as a protector for the volume encryption key.
별칭 |
tpmp |
필수 여부 |
true |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-Confirm
cmdlet을 실행하기 전에 확인 메시지가 표시됩니다.
필수 여부 |
false |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-WhatIf
cmdlet이 실행될 경우 결과 동작을 표시합니다. cmdlet이 실행되지 않습니다.
필수 여부 |
false |
위치 |
named |
기본값 |
false |
파이프라인 입력 적용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
<CommonParameters>
이 cmdlet은 일반 매개 변수 -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer 및 -OutVariable을 지원합니다. 자세한 내용은 다음을 참조하세요. about_CommonParameters(https://go.microsoft.com/fwlink/p/?LinkID=113216).
입력
입력 유형은 cmdlet에 파이프할 수 있는 개체의 유형입니다.
- BitLockerVolume[], string[]
출력
출력 유형은 cmdlet이 내보내는 개체의 유형입니다.
- BitLockerVolume[]
예제
Example 1: Add key protector
This example adds a combination of the TPM and a PIN as key protector for the BitLocker volume identified with the drive letter C:.
The first command uses the ConvertTo-SecureString cmdlet to create a secure string that contains a PIN and saves that string in the $SecureString variable. For more information about the ConvertTo-SecureString cmdlet, type Get-Help ConvertTo-SecureString.
The second command adds a protector to the BitLocker volume that has the drive letter C:. The command specifies that this volume uses a combination of the TPM and the PIN as key protector and provides the PIN saved in the $SecureString variable.
PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\>Add-BitLockerProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
Example 2: Add a recovery key for all BitLocker volumes
This command gets all the BitLocker volumes for the current computer and passes them to the Add-BitLockerKeyProtector cmdlet by using the pipe operator. This cmdlet specifies a path to a recovery key and indicates that these volumes use a recovery key as a key protector.
PS C:\> Get-BitLockerVolume | Add-BitLockerKeyProtector -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector
Example 3: Add credentials as a key protector
This command adds an AD DS account key protector to the BitLocker volume specified by the MountPoint parameter. The command specifies an account and specifies that BitLocker uses user credentials as a key protector. When a user accesses this volume, BitLocker prompts for credentials for the user account Western\SarahJones.
PS C:\> Add-BitLockerKeyProtector -MountPoint "C:" -AdAccountOrGroup "Western\SarahJones" -AdAccountOrGroupProtector