Solved

Enabling BitLocker via WMI or powershell: script help.

Posted on 2014-02-07
13
3,223 Views
Last Modified: 2014-04-23
I am looking into deploying Bitlocker company wide here in the next few months.  From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest.  But I need some help enabling it via script pushed by the same GPO.

Either WMI or powershell, however I do prefer powershell.  But here's my hangup: Not all of the hosts have TPM support, so the single script should enable BL and use TPM if present or use PIN if not.
0
Comment
Question by:Ben Hart
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 17

Assisted Solution

by:Kent Dyer
Kent Dyer earned 167 total points
ID: 39842196
Stolen from Microsoft..

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 –UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Be sure you have Set-ExecutionPolicy set correctly on your clients too.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842680
Ahh so -TPMandPINprotector will use TPM if available but if not it won't complain about it?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842729
On my Win7 Enterprise VM powershell does not recognize the term enable-bitlocker
0
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 39842748
but..  Wait..  Are you logging into a Win2008 or above DC?  If the server is newer than you Win2007, you may need to update your powershell or run the commands from your server/DC..
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842774
Sorry.. I'm going to be running this script from within a GPO but I was trying to take your (MSFT) code and test it on a Win7 Ent virtual machine.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842865
If i cant run this on a windows 7 pc, then would it still run correct if being initiated by a GPO rather than me typing the commands in?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 53

Expert Comment

by:McKnife
ID: 39843989
You would have to distribute a newer version of powershell. I think the Bitlocker commands came with 3.0 but I might be mistaken and it was in 4.0 - both installable on win7.
Without powershell, there's still batch: manage-bde.exe can also do all you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844087
Also understand that BL for the HDD only gives you protection for data at rest, when the OS is running, BL offers no protection whatsoever to the data on the HDD. Only when the PC is off is the data protected from physical theft: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39847363
Just installed WMF 4.0, rebooted and enable-bitlocker still is not recognized.  Am I doing something wrong?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39848393
Anyone else?  I'm having horrible luck on this topic and I don;t believe that deploying Bitlocker is such an unheard of thing here on EE.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 333 total points
ID: 39850190
WMF4 installs Powershell4, if I remember correctly. But you still need to import the bitlocker module in your script!
import-module BitLocker
...and there you go.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39938174
Ok.. sorry small IT department and lots of projects being pushed down.


That worked! I guess I didnt see any reference to a Bitlocker module to be imported but yes that part works now.  Now if I go with powershell to enable and turn on BL I just need to make sure there's an Import-module bitlocker line in the script correct?  Because it's running on the local machine...
0
 
LVL 53

Accepted Solution

by:
McKnife earned 333 total points
ID: 39938551
Yes, right.

Please be aware that there is no way to use only a PIN.
win7:
-Startup key
-TPM
-TPM and PIN
-TPM+PIN+Startupkey

additionally in win8:
-Password

So in 7, you would have to use Startup keys (on USB) if no TPM is present. You could use a script like this:
"try tpm - if succesful, goto end. If not, use the protector -sk"
like
manage-bde c: -protectors -add -sk <path2usbdrive>
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Set OWA language and time zone in Exchange for individuals, all users or per database.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now