正如您所知， BitLocker推進加密只加密C:\驅動。 如果您有另外的驅動在您的個人計算機，或者使用外部USB硬盤用您的筆記本，您不可能加密那驅動與BDE。 正式地那是：)

當景色SP1在您的系統時將帶來支持為加密其他容量您能使用命令行工具做它今天處理bde.wsf。 現在，在我們開始之前我必須通知您這用微軟支持的現在方式。 我嘗試了它，它為我運作，但 我高度推薦採取數據的備份在進行之前!

與那偏僻發射指令提示作為管理員和跑以下命令加密另外的驅動：

cscript在X處理bde.wsf - ： - recoverykey Y:\ - recoverypassword

在本例中x ： 是您希望恢復和Y的驅動： 是補救鑰匙將被保存的驅動。 記住對備份補救鑰匙并且存放它在一個安全地點。 您在C能存放這把鑰匙： 被加密)的驅動(和它將使事更加容易，當您需要打開驅動。

一旦那是完全的您將需要跑命令「打開」驅動為了訪問數據。 與驅動被塞住的奔跑以下命令：

cscript處理bde.wsf -打開X ： - recoverykey C:\WO97N74A - A99A-9923-C798-45FF0139DDE9.BEK

如果您丟失鑰匙您能打開驅動以補救密碼與以下命令：

cscript處理bde.wsf -打開X ： - recoverypassword 846295-102210-220394-001294-333982-001923-094856-223451

太使它更加容易我建議創造

我們有 做一些崗位在BitLocker 在某些更加先進的特點和控制附近。 我們未接觸的这一件事是多麼容易它是加密您的驅動與BitLocker。 在我們在做法開始選擇的小的回顧之前您能選擇是$$4有序。

• 仅TPM -這是最容易部署和使用。 一切在背景中發生無形在用戶身上。
• Dongle Only - This is used with systems that do not have a TPM 1.2 chip. Rather than store the ket in TPM it stores it on a USB key which must be insterted prior to booting the PC
• TPM + PIN - This is more secure. In effect it is a form of two factor authentication, what you have (the TPM chip with the key) and what you know (the PIN)
• Dongle + PIN - This is another form of two factor authentication again for older systems with no TPM 1.2 chip

Personally I prefer TPM + PIN as I usually store my USB keys in my notebook bag. Should that ever get lost or stolen the person has all they need to get access to the system (at least to a password prompt).

To enable PIN or Dongle capabilities you will need to edit the local computer policy first. We already wrote about that here and here so I won't cover that again.

To begin, the first step is to prep

We have gone over the GPO settings for BitLocker recently and now we are going to cover the actual configuration of BitLocker on the computer itself. There are two ways, the GUI way, or the CLI way. Today we will focus on the CLI method.

There is one command that allows you to manage BitLocker via the CLI and that is manage-bde. Simply run this from an elevated command prompt and you will see the following output.

To determine the status of the volume simply run manage-bde -status

Before we go any further you will need to have preped the drive with the BitLocker Drive Prep tool. The next step is to initialize TPM. Again there is the GUI method that uses TPM.MSC or you can run the following command.

cscript manage-bde.wsf –tpm –takeownership -<password>

With everything ready you can run the following command to encrypt the drive.

cscript manage-bde.wsf –on –recoverypassword C:

Once complete you can run manage-bde -status again!

Ever wanted to backup your ACLs for every file in a folder? With Windows Vista, and Microsoft Windows Server 2003 SP2 a new tool has been released called ICACLS.

To backup the ACLs of every file in a directory type:

icacls * /save aclfile.txt

This command saves the ACLs of all the files in the directory to a file called aclfile.txt. You can add "/T" to include all the subfolders.

You can later restore that file using the /restore aclfiles.txt.

This is great when an application or administrator makes changes to the ACLs and then forgets what they changed when it causes a problem.

You can also modify the ACE of a file this is the "Access Control Entry" it controls how different processes can access files. You do this by changing the Integrity Level of a file to Low Medium or High. The Integrity Level or IL indicates if a process may access a particular file. When a process launches it is given an IL typically the same IL as its parent process.

You can see the Integrity Level of your processes using a tool like processexplorer

This is useful if you have sensitive files that you don't low permission processes accessing. For example IE runs with a low integrity level automatically so it can't access files on the system that have a medium or high IL.

To change the IL on a file type:

icacls filename.ext /setintegritylevel

We posted an article earlier about configuration settings in BitLocker. We covered most of the tabs from the GPO configuration settings. If you investigated the BitLocker Administrative Template you may noticed a final configuration you can adjust.

This is the "Configure TPM Platform validation profiles"

This GPO configures a specific aspect of the BitLocker configuration. Lets first review what happens when you enable BitLocker.

Once you initiate the BitLocker, a key is generated. This key is save to the TPM, AD, and or a USB or external source. This is the key that the computer uses to encrypt the hard drive. Now this key needs to be available whenever we want to read or write data from the hard drive. There are several ways we can do this.

1) Store the key in a TPM Chip. this is the most secure way to store the key. When you put a key in the TPM chip Windows will survey several configuration settings on the computer to generate a second key. (Yes we now have 2 keys) This second key is generated by reading values from several components during Windows Startup. Ex: The Bios configuration, the boot configuration, the master boot record, and several others. When the computer is booted up the boot process needs to get the BitLocker key out of the TPM chip. In order to do this it first must recreate the 2nd key that "guards" the 1st key. If any of the boot environment has changed, as it would if