Computer Configuration (Enabled)
=> Policies
=> => Windows Settings
=> => => Scripts
=> => => => Startup
=> => => => => StoreBitlockerRecoveryRasswordToAD.ps1
=======================================================
ACL Add Allow Domain Computers to Read and Execute
=======================================================
$keyID = Get-BitLockerVolume -MountPoint c: | select -ExpandProperty keyprotector | where {$_.KeyProtectorType -eq 'RecoveryPassword'};
if ($keyID.KeyProtectorId -ne $Null) {
Backup-BitLockerKeyProtector -MountPoint c: -KeyProtectorId $keyID.KeyProtectorId;
};
=======================================================
=> => Administrative Templates
=> => => System/Group Policy
=> => => => Configure Logon Script Delay => Enabled
=> => => => => minute: 2
=> => => Windows Components/BitLocker Drive Encryption
=> => => => Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) => Enabled
=> => => => => Select the encryption method for operating system drives => XTS-AES 128-bit (default)
=> => => => => Select the encryption method for fixed data drives => XTS-AES 128-bit (default)
=> => => => => Select the encryption method for removable data drives => AES-CBC 128-bit (default)
=> => => => Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) => Enabled
=> => => => => => Require BitLocker backup to AD DS => Enabled
=> => => => => => Select BitLocker recovery information to store => Recovery passwords and key packages
=> => => Windows Components/BitLocker Drive Encryption/Operating System Drives
=> => => => Choose how BitLocker-protected operating system drives can be recovered => Enabled
=> => => => => Allow data recovery agent => Enabled
=> => => => Configure user storage of BitLocker recovery information:
=> => => => => Allow 48-digit recovery password
=> => => => => Allow 256-bit recovery key
=> => => => => Omit recovery options from the BitLocker setup wizard => Disabled
=> => => => => Save BitLocker recovery information to AD DS for operating system drives => Enabled
=> => => => => Configure storage of BitLocker recovery information to AD DS => Store recovery passwords and key packages
=> => => => => Do not enable BitLocker until recovery information is stored to AD DS for operating system drives => Enabled
=> => => => Require additional authentication at startup => Enabled
=> => => => => Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) => Enabled
=> => => => => Settings for computers with a TPM:
=> => => => => => Configure TPM startup: Allow TPM
=> => => => => => Configure TPM startup PIN: Allow startup PIN with TPM
=> => => => => => Configure TPM startup key: Allow startup key with TPM
=> => => => => => Configure TPM startup key and PIN: Allow startup key and PIN with TPM
=> => => Windows Components/Windows PowerShell
=> => => => Turn on Script Execution => Enabled
=> => => => Execution Policy => Allow local scripts and remote signed scripts
沒有留言:
張貼留言