Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Enabling BitLocker via WMI or powershell: script help.

Posted on 2014-02-07
13
Medium Priority
?
4,451 Views
Last Modified: 2014-04-23
I am looking into deploying Bitlocker company wide here in the next few months.  From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest.  But I need some help enabling it via script pushed by the same GPO.

Either WMI or powershell, however I do prefer powershell.  But here's my hangup: Not all of the hosts have TPM support, so the single script should enable BL and use TPM if present or use PIN if not.
0
Comment
Question by:Ben Hart
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 17

Assisted Solution

by:Kent Dyer
Kent Dyer earned 668 total points
ID: 39842196
Stolen from Microsoft..

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 –UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Be sure you have Set-ExecutionPolicy set correctly on your clients too.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842680
Ahh so -TPMandPINprotector will use TPM if available but if not it won't complain about it?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842729
On my Win7 Enterprise VM powershell does not recognize the term enable-bitlocker
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 17

Expert Comment

by:Kent Dyer
ID: 39842748
but..  Wait..  Are you logging into a Win2008 or above DC?  If the server is newer than you Win2007, you may need to update your powershell or run the commands from your server/DC..
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842774
Sorry.. I'm going to be running this script from within a GPO but I was trying to take your (MSFT) code and test it on a Win7 Ent virtual machine.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842865
If i cant run this on a windows 7 pc, then would it still run correct if being initiated by a GPO rather than me typing the commands in?
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39843989
You would have to distribute a newer version of powershell. I think the Bitlocker commands came with 3.0 but I might be mistaken and it was in 4.0 - both installable on win7.
Without powershell, there's still batch: manage-bde.exe can also do all you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844087
Also understand that BL for the HDD only gives you protection for data at rest, when the OS is running, BL offers no protection whatsoever to the data on the HDD. Only when the PC is off is the data protected from physical theft: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39847363
Just installed WMF 4.0, rebooted and enable-bitlocker still is not recognized.  Am I doing something wrong?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39848393
Anyone else?  I'm having horrible luck on this topic and I don;t believe that deploying Bitlocker is such an unheard of thing here on EE.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1332 total points
ID: 39850190
WMF4 installs Powershell4, if I remember correctly. But you still need to import the bitlocker module in your script!
import-module BitLocker
...and there you go.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39938174
Ok.. sorry small IT department and lots of projects being pushed down.


That worked! I guess I didnt see any reference to a Bitlocker module to be imported but yes that part works now.  Now if I go with powershell to enable and turn on BL I just need to make sure there's an Import-module bitlocker line in the script correct?  Because it's running on the local machine...
0
 
LVL 57

Accepted Solution

by:
McKnife earned 1332 total points
ID: 39938551
Yes, right.

Please be aware that there is no way to use only a PIN.
win7:
-Startup key
-TPM
-TPM and PIN
-TPM+PIN+Startupkey

additionally in win8:
-Password

So in 7, you would have to use Startup keys (on USB) if no TPM is present. You could use a script like this:
"try tpm - if succesful, goto end. If not, use the protector -sk"
like
manage-bde c: -protectors -add -sk <path2usbdrive>
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Loops Section Overview

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question