Solved

Enabling BitLocker via WMI or powershell: script help.

Posted on 2014-02-07
13
4,000 Views
Last Modified: 2014-04-23
I am looking into deploying Bitlocker company wide here in the next few months.  From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest.  But I need some help enabling it via script pushed by the same GPO.

Either WMI or powershell, however I do prefer powershell.  But here's my hangup: Not all of the hosts have TPM support, so the single script should enable BL and use TPM if present or use PIN if not.
0
Comment
Question by:Ben Hart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 17

Assisted Solution

by:Kent Dyer
Kent Dyer earned 167 total points
ID: 39842196
Stolen from Microsoft..

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 –UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Be sure you have Set-ExecutionPolicy set correctly on your clients too.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842680
Ahh so -TPMandPINprotector will use TPM if available but if not it won't complain about it?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842729
On my Win7 Enterprise VM powershell does not recognize the term enable-bitlocker
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 17

Expert Comment

by:Kent Dyer
ID: 39842748
but..  Wait..  Are you logging into a Win2008 or above DC?  If the server is newer than you Win2007, you may need to update your powershell or run the commands from your server/DC..
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842774
Sorry.. I'm going to be running this script from within a GPO but I was trying to take your (MSFT) code and test it on a Win7 Ent virtual machine.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39842865
If i cant run this on a windows 7 pc, then would it still run correct if being initiated by a GPO rather than me typing the commands in?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39843989
You would have to distribute a newer version of powershell. I think the Bitlocker commands came with 3.0 but I might be mistaken and it was in 4.0 - both installable on win7.
Without powershell, there's still batch: manage-bde.exe can also do all you need.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844087
Also understand that BL for the HDD only gives you protection for data at rest, when the OS is running, BL offers no protection whatsoever to the data on the HDD. Only when the PC is off is the data protected from physical theft: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39847363
Just installed WMF 4.0, rebooted and enable-bitlocker still is not recognized.  Am I doing something wrong?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39848393
Anyone else?  I'm having horrible luck on this topic and I don;t believe that deploying Bitlocker is such an unheard of thing here on EE.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 333 total points
ID: 39850190
WMF4 installs Powershell4, if I remember correctly. But you still need to import the bitlocker module in your script!
import-module BitLocker
...and there you go.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39938174
Ok.. sorry small IT department and lots of projects being pushed down.


That worked! I guess I didnt see any reference to a Bitlocker module to be imported but yes that part works now.  Now if I go with powershell to enable and turn on BL I just need to make sure there's an Import-module bitlocker line in the script correct?  Because it's running on the local machine...
0
 
LVL 55

Accepted Solution

by:
McKnife earned 333 total points
ID: 39938551
Yes, right.

Please be aware that there is no way to use only a PIN.
win7:
-Startup key
-TPM
-TPM and PIN
-TPM+PIN+Startupkey

additionally in win8:
-Password

So in 7, you would have to use Startup keys (on USB) if no TPM is present. You could use a script like this:
"try tpm - if succesful, goto end. If not, use the protector -sk"
like
manage-bde c: -protectors -add -sk <path2usbdrive>
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question