Manage-bde -protectors -adbackup %systemdrive% -id %%A Manage-bde -protectors -add %systemdrive% -RecoveryPasswordįor /F "tokens=2 delims=: " %%A in ( 'manage-bde -protectors -get C: -type recoverypassword ^| findstr " ID:"') do ( To configure or change how BitLocker unlocks OS Drive at Startup with PIN in Windows 11/10, do the following: Press Windows key + R to invoke the Run dialog. Manage-bde -protectors -delete %systemdrive% -type RecoveryPassword Manage-bde -protectors -disable %systemdrive% REM next two lines disables system restore to help prevent bitlocker recovery key requestīcdedit /set bootstatuspolicy ignoreallfailures
Windows 10 will save the BitLocker recovery key for the computer in Active Directory and encrypt the drive.Echo off REM Run as Administrator REM Manage-bde.exe -protectors -disable c: set test /a = "qrz" for /F "tokens=3 delims= " %%A in ( 'manage-bde -status %systemdrive% ^| findstr " Encryption Method:"') do (Įcho %%A set test = %%A if "%%A" = "None" goto :activateįor /F %%A in ( 'wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue ^| findstr "TRUE"') do (.
Encrypt the system drive of your computer running Windows 10 Pro using BitLocker ( Turn BitLocker on).
If you want to save BitLocker recovery keys for external media devices or other drives, configure a similar policy in these GPO sections: Fixed Data Drives and Removable Data Drives In our case, automatic saving of a BitLocker key is enabled for the operating system drive.If you check the option, BitLocker will not start drive encryption until the computer saves a new recovery key in AD (if you are a mobile user, you will have to wait for the next connection to the domain network) I understand that there are multiple reasons that a recovery key might be needed on a system partition, but why would I want the extra security risk of having a way of circumventing my password for removable media. Note that it is recommended to check Do not enable BitLocker until recovery information is stored to AD DS for operating system drives. Then go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives and enable the policy Choose how BitLocker-protected operating system drives can be recovered.Enable the Store BitLocker recovery information in Active Directory Domain Services policy with the following settings: Require BitLocker backup to AD DS and Select BitLocker recovery information to store: Recovery passwords and key packages.Go to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption.Open the Domain Group Policy Management console ( gpmc.msc), create a new GPO and link it to an OU with the computers you want to enable automatic BitLocker key saving in AD.To automatically save (backup) BitLocker recovery keys to the Active Directory domain, you need to configure a special GPO. Now, click on Reset This PC and select the Reset PC. In the Settings window, click the System option and then select Recovery. Click the Start button and tap on Settings. Under Bitlocker data protection click Manage recovery. However, the process will depend on the operating system you are running on your Surface Pro.
How to Configure Group Policy to Store BitLocker Recovery Keys in AD? Login to Microsoft Account which will display list of all devices you have.
Expand the drive for which you want to change the BitLocker password, and click Change password from the list of options.