Add-BitLockerKeyProtector

NAME
Add-BitLockerKeyProtector

SYNOPSIS
Adds a key protector for a BitLocker volume.

SYNTAX

    Add-BitLockerKeyProtector [-MountPoint] <String[]> 
    [-ADAccountOrGroup] <String> [-Service] -ADAccountOrGroupProtector 
    [-Confirm] [-WhatIf] [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-Password] 
    <SecureString>] -PasswordProtector [-Confirm] 
    [-WhatIf] [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> [-StartupKeyPath] 
    <String> [[-Pin] <SecureString>] -TpmAndPinAndStartupKeyProtector 
    [-Confirm] [-WhatIf] [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> [[-Pin] 
    <SecureString>] -TpmAndPinProtector [-Confirm] [-WhatIf] 
    [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> [-RecoveryKeyPath] 
    <String> -RecoveryKeyProtector [-Confirm] [-WhatIf] 
    [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> 
    [[-RecoveryPassword] <String>] -RecoveryPasswordProtector [-Confirm] 
    [-WhatIf] [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> [-StartupKeyPath] 
    <String> -StartupKeyProtector [-Confirm] [-WhatIf] [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> [-StartupKeyPath] 
    <String> -TpmAndStartupKeyProtector [-Confirm] [-WhatIf] 
    [<CommonParameters>]
    
    Add-BitLockerKeyProtector [-MountPoint] <String[]> -TpmProtector 
    [-Confirm] [-WhatIf] [<CommonParameters>]
    



DESCRIPTION

The Add-BitLockerKeyProtector cmdlet adds a protector for the volume key of the volume protected
with BitLocker Drive Encryption.

When a user accesses a drive protected by BitLocker, such as when starting a computer, BitLocker
requests the relevant key protector. For example, the user can enter a PIN or provide a USB drive
that contains a key. BitLocker retrieves the encryption key and uses it to read data from the
drive.

You can use one of the following methods or combinations of methods for a key protector:

-- Trusted Platform Module (TPM). BitLocker uses the computer's TPM to protect the encryption key.
If you specify this protector, users can access the encrypted drive as long as it is connected to
the system board that hosts the TPM and the system boot integrity is intact. In general, TPM-based
protectors can only be associated to an operating system volume.
-- TPM and Personal Identification Number (PIN). BitLocker uses a combination of the TPM and a
user-supplied PIN. A PIN is four to twenty digits or, if you allow enhanced PINs, four to twenty
letters, symbols, spaces, or numbers.
-- TPM, PIN, and startup key. BitLocker uses a combination of the TPM, a user-supplied PIN, and
input from of a USB memory device that contains an external key.
-- TPM and startup key. BitLocker uses a combination of the TPM and input from of a USB memory
device.
-- Startup key. BitLocker uses input from of a USB memory device that contains the external key.
-- Password. BitLocker uses a password.
-- Recovery key. BitLocker uses a recovery key stored as a specified file in a USB memory device.
-- Recovery password. BitLocker uses a recovery password.
-- Active Directory Domain Services (ADDS) account. BitLocker uses domain authentication to unlock
data volumes. Operating system volumes cannot use this type of key protector.

You can add only one of these methods or combinations at a time, but you can run this cmdlet more
than once on a volume.

Adding a key protector is a single operation; for example, adding a startup key protector to a
volume that uses the TPM and PIN combination as a key protector results in two key protectors, not
a single key protector that uses TPM, PIN, and startup key. Instead, add a protector that uses
TPM, PIN, and startup key and then remove the TPM and PIN protector by using the
Remove-BitLockerKeyProtector cmdlet.

For a password or PIN key protector, specify a secure string. You can use the
ConvertTo-SecureString cmdlet to create a secure string. You can use secure strings in a script
and still maintain confidentiality of passwords.

This cmdlet returns a BitLocker volume object. If you choose recovery password as your key
protector but do not specify a 48-digit recovery password, this cmdlet creates a random 48-bit
recovery password. The cmdlet stores the password as the RecoveryPassword field of the
KeyProtector attribute of the BitLocker volume object.

If you use startup key or recovery key as part of your key protector, provide a path to store the
key. This cmdlet stores the name of the file that contains the key in the KeyFileName field of the
KeyProtector field in the BitLocker volume object.

For an overview of BitLocker, see BitLocker Drive Encryption Overview
(http://technet.microsoft.com/en-us/library/cc732774.aspx) on TechNet.

RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287647
Backup-BitLockerKeyProtector
Remove-BitLockerKeyProtector
Get-BitLockerVolume
Enable-BitLocker

REMARKS
To see the examples, type: "get-help Add-BitLockerKeyProtector -examples".
For more information, type: "get-help Add-BitLockerKeyProtector -detailed".
For technical information, type: "get-help Add-BitLockerKeyProtector -full".
For online help, type: "get-help Add-BitLockerKeyProtector -online"