Add-BitLockerKeyProtector

Add a key protector for a BitLocker volume.

Syntax
      Add-BitLockerKeyProtector [-MountPoint] String[] -ADAccountOrGroupProtector [-ADAccountOrGroup] String
         [-Service] [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[] -PasswordProtector [[-Password] SecureString]
         [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[]
         -TpmAndPinAndStartupKeyProtector [-StartupKeyPath] String [[-Pin] SecureString] 
            [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[] -TpmAndPinProtector [[-Pin] SecureString]
         [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[] -RecoveryKeyProtector [-RecoveryKeyPath] String
         [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[] -RecoveryPasswordProtector [[-RecoveryPassword] String] 
         [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[] -StartupKeyProtector [-StartupKeyPath] String
         [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[] -TpmAndStartupKeyProtector [-StartupKeyPath] String 
         [-Confirm] [-WhatIf] [CommonParameters]
    
      Add-BitLockerKeyProtector [-MountPoint] String[] -TpmProtector
         [-Confirm] [-WhatIf] [CommonParameters]

Key
   -ADAccountOrGroup String
       An account using the format Domain\User.
       This cmdlet adds the account you specify as a key protector for the volume encryption key.
        
   -ADAccountOrGroupProtector
       Indicate that BitLocker uses an AD DS account as a protector for the volume encryption key.
        
   -MountPoint String[]
       An array of drive letters or BitLocker volume objects. This cmdlet enables protection
       for the volumes specified. To obtain a BitLocker volume object, use Get-BitLockerVolume.
        
   -Password SecureString
       A secure string object that contains a password. The password acts as a protector for the 
       volume encryption key.
        
   -PasswordProtector
       Indicates that BitLocker uses a password as a protector for the volume encryption key.
        
   -Pin SecureString
       A secure string object that contains a PIN. BitLocker uses the PIN specified, with other
       data, as a protector for the volume encryption key.
        
   -RecoveryKeyPath String
       A path to a recovery key. The key stored in the specified path acts as a protector for the
       volume encryption key.
        
   -RecoveryKeyProtector
       Indicates that BitLocker uses a recovery key as a protector for the volume encryption key.
        
   -RecoveryPassword String
       A recovery password. If you do not specify this parameter, but you do include the 
       RecoveryPasswordProtector parameter, the cmdlet creates a random password. You can enter
       a 48 digit password. The password acts as a protector for the volume encryption key.
        
   -RecoveryPasswordProtector
       Indicates that BitLocker uses a recovery password as a protector for the volume encryption key.
        
   -Service
       Indicates that the system account for this computer unlocks the encrypted volume.
        
   -StartupKeyPath String
       A path to a startup key. The key stored in the specified path acts as a protector for the
       volume encryption key.
        
   -StartupKeyProtector
       Indicates that BitLocker uses a startup key as a protector for the volume encryption key.

   -TpmAndPinAndStartupKeyProtector
       Indicates that BitLocker uses a combination of TPM, a PIN, and a startup key as a protector for the volume 
        encryption key.
        
   -TpmAndPinProtector
       Indicates that BitLocker uses a combination of the TPM and a PIN as a protector for
       the volume encryption key.

   -TpmAndStartupKeyProtector
       Indicates that BitLocker uses a combination of TPM and a startup key as a protector for
       the volume encryption key.
        
   -TpmProtector
       Indicates that BitLocker uses TPM as a protector for the volume encryption key.

   -Confirm
       Prompt for confirmation before running the cmdlet.

   -WhatIf
       Show what would happen if the cmdlet runs. The cmdlet is not run.

Standard Aliases for Add-BitLockerKeyProtector: none, but if you want to add a short alias like ablkp, set it with set-alias

Add-BitLockerKeyProtector adds a protector for the volume key of the volume protected with BitLocker Drive Encryption.

When a user accesses a drive protected by BitLocker, such as when starting a computer, BitLocker requests the relevant key protector. For example, the user can enter a PIN or provide a USB drive that contains a key. BitLocker retrieves the encryption key and uses it to read data from the drive.

You can use one of the following methods or combinations of methods for a key protector:

• Trusted Platform Module (TPM). BitLocker uses the computer’s TPM to protect the encryption key. If you specify this protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM and the system boot integrity is intact. In general, TPM-based protectors can only be associated to an operating system volume.
• TPM and Personal Identification Number (PIN). BitLocker uses a combination of the TPM and a user-supplied PIN. A PIN is four to twenty digits or, if you allow enhanced PINs, four to twenty letters, symbols, spaces, or numbers.
• TPM, PIN, and startup key. BitLocker uses a combination of the TPM, a user-supplied PIN, and input from of a USB memory device that contains an external key.
• TPM and startup key. BitLocker uses a combination of the TPM and input from of a USB memory device.
• Startup key. BitLocker uses input from of a USB memory device that contains the external key.
• Password. BitLocker uses a password.
• Recovery key. BitLocker uses a recovery key stored as a specified file in a USB memory device. -- Recovery password. BitLocker uses a recovery password.
• Active Directory Domain Services (ADDS) account. BitLocker uses domain authentication to unlock data volumes. Operating system volumes cannot use this type of key protector.

You can add only one of these methods or combinations at a time, but you can run this cmdlet more than once on a volume.

Adding a key protector is a single operation; for example, adding a startup key protector to a volume that uses the TPM and PIN combination as a key protector results in two key protectors, not a single key protector that uses TPM, PIN, and startup key. Instead, add a protector that uses TPM, PIN, and startup key and then remove the TPM and PIN protector by using the Remove-BitLockerKeyProtector cmdlet.

For a password or PIN key protector, specify a secure string. You can use the ConvertTo-SecureString cmdlet to create a secure string. You can use secure strings in a script and still maintain confidentiality of passwords.

This cmdlet returns a BitLocker volume object. If you choose recovery password as your key protector but do not specify a 48-digit recovery password, this cmdlet creates a random 48-bit recovery password.

The cmdlet stores the password as the RecoveryPassword field of the KeyProtector attribute of the BitLocker volume object. If you use startup key or recovery key as part of your key protector, provide a path to store the key. This cmdlet stores the name of the file that contains the key in the KeyFileName field of the KeyProtector field in the BitLocker volume object.

An overview of BitLocker Drive Encryption.

This cmdlet was introduced in Windows PowerShell 5.0.

Examples

Add key protector (TPM and PIN) to drive C::

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\>Add-BitLockerProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector

Add a recovery key for all BitLocker volumes:

PS C:\> Get-BitLockerVolume | Add-BitLockerKeyProtector -RecoveryKeyPath "E:\Recovery\" -RecoveryKeyProtector

“Beware of the door with too many keys” ~ Portuguese Proverb

Related PowerShell Cmdlets

Enable-BitLocker - Enable encryption for a BitLocker volume.
Suspend-BitLocker - Suspend Bitlocker encryption for the specified volume.