I know that Bitlocker can be used from a Hyper-V Server 2012 r2 install. And I know that it can be done on a machine that lacks a TPM chip. The problem is that all of the examples I've found depend on a GUI. I don't want all of the complicated setup to allow remote management via a GUI, and I'm not using Active Directory (nor will I).
How can Bitlocker be setup completely from a command-line to automatically use a USB drive at boot?
Essentially, there are 2 registry values that need to be set before Bitlocker will allow a USB drive to be used to hold the startup/recovery keys. You don't need to edit a GPO via a GUI.
This is how I protected my c: drive with Bitlocker, storing my keys on a USB drive mounted as the k: drive. Step #3 is the part that replaces the need for using gpedit.msc.
Install-WindowsFeature BitlockerFrom PowerShell: (the "FVE" key/folder doesn't exist initially)
New-Item HKLM:\SOFTWARE\Policies\Microsoft\FVE
Set-Location HKLM:\SOFTWARE\Policies\Microsoft
Set-ItemProperty FVE -Name UseAdvancedStartup -Value 1
Set-ItemProperty FVE -Name EnableBDEWithNoTPM -Value 1
From cmd.exe: manage-bde -protectors -add c: -startupkey k:\ -recoverykey k:\
manage-bde -on c: -usedspaceonlymanage-bde -statusFYI: I did all of this via an RDP session, including using diskpart to set the USB drive letter. The only physical access to the machine was to plug in the USB drive.
EDIT: I took some time and confirmed that the USB drive's letter and label are irrelevant at boot time. You can put the key file(s) on a replacement drive and connect it to a different USB port. Windows finds it just fine and boots. (If only Windows was this nice with USB printers.)