Solved

Enabling BitLocker via WMI or powershell: script help.

Posted on 2014-02-07
13
3,619 Views
Last Modified: 2014-04-23
I am looking into deploying Bitlocker company wide here in the next few months.  From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest.  But I need some help enabling it via script pushed by the same GPO.

Either WMI or powershell, however I do prefer powershell.  But here's my hangup: Not all of the hosts have TPM support, so the single script should enable BL and use TPM if present or use PIN if not.
0
Comment
Question by:Ben Hart
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 17

Assisted Solution

by:Kent Dyer
Kent Dyer earned 167 total points
ID: 39842196
Stolen from Microsoft..

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 –UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Be sure you have Set-ExecutionPolicy set correctly on your clients too.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842680
Ahh so -TPMandPINprotector will use TPM if available but if not it won't complain about it?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842729
On my Win7 Enterprise VM powershell does not recognize the term enable-bitlocker
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 17

Expert Comment

by:Kent Dyer
ID: 39842748
but..  Wait..  Are you logging into a Win2008 or above DC?  If the server is newer than you Win2007, you may need to update your powershell or run the commands from your server/DC..
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842774
Sorry.. I'm going to be running this script from within a GPO but I was trying to take your (MSFT) code and test it on a Win7 Ent virtual machine.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842865
If i cant run this on a windows 7 pc, then would it still run correct if being initiated by a GPO rather than me typing the commands in?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39843989
You would have to distribute a newer version of powershell. I think the Bitlocker commands came with 3.0 but I might be mistaken and it was in 4.0 - both installable on win7.
Without powershell, there's still batch: manage-bde.exe can also do all you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844087
Also understand that BL for the HDD only gives you protection for data at rest, when the OS is running, BL offers no protection whatsoever to the data on the HDD. Only when the PC is off is the data protected from physical theft: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39847363
Just installed WMF 4.0, rebooted and enable-bitlocker still is not recognized.  Am I doing something wrong?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39848393
Anyone else?  I'm having horrible luck on this topic and I don;t believe that deploying Bitlocker is such an unheard of thing here on EE.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 333 total points
ID: 39850190
WMF4 installs Powershell4, if I remember correctly. But you still need to import the bitlocker module in your script!
import-module BitLocker
...and there you go.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39938174
Ok.. sorry small IT department and lots of projects being pushed down.


That worked! I guess I didnt see any reference to a Bitlocker module to be imported but yes that part works now.  Now if I go with powershell to enable and turn on BL I just need to make sure there's an Import-module bitlocker line in the script correct?  Because it's running on the local machine...
0
 
LVL 54

Accepted Solution

by:
McKnife earned 333 total points
ID: 39938551
Yes, right.

Please be aware that there is no way to use only a PIN.
win7:
-Startup key
-TPM
-TPM and PIN
-TPM+PIN+Startupkey

additionally in win8:
-Password

So in 7, you would have to use Startup keys (on USB) if no TPM is present. You could use a script like this:
"try tpm - if succesful, goto end. If not, use the protector -sk"
like
manage-bde c: -protectors -add -sk <path2usbdrive>
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question