Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4610
  • Last Modified:

Enabling BitLocker via WMI or powershell: script help.

I am looking into deploying Bitlocker company wide here in the next few months.  From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest.  But I need some help enabling it via script pushed by the same GPO.

Either WMI or powershell, however I do prefer powershell.  But here's my hangup: Not all of the hosts have TPM support, so the single script should enable BL and use TPM if present or use PIN if not.
0
Ben Hart
Asked:
Ben Hart
  • 7
  • 3
  • 2
  • +1
3 Solutions
 
Kent DyerIT Security Analyst SeniorCommented:
Stolen from Microsoft..

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 –UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Be sure you have Set-ExecutionPolicy set correctly on your clients too.
0
 
Ben HartAuthor Commented:
Ahh so -TPMandPINprotector will use TPM if available but if not it won't complain about it?
0
 
Ben HartAuthor Commented:
On my Win7 Enterprise VM powershell does not recognize the term enable-bitlocker
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Kent DyerIT Security Analyst SeniorCommented:
but..  Wait..  Are you logging into a Win2008 or above DC?  If the server is newer than you Win2007, you may need to update your powershell or run the commands from your server/DC..
0
 
Ben HartAuthor Commented:
Sorry.. I'm going to be running this script from within a GPO but I was trying to take your (MSFT) code and test it on a Win7 Ent virtual machine.
0
 
Ben HartAuthor Commented:
If i cant run this on a windows 7 pc, then would it still run correct if being initiated by a GPO rather than me typing the commands in?
0
 
McKnifeCommented:
You would have to distribute a newer version of powershell. I think the Bitlocker commands came with 3.0 but I might be mistaken and it was in 4.0 - both installable on win7.
Without powershell, there's still batch: manage-bde.exe can also do all you need.
0
 
Rich RumbleSecurity SamuraiCommented:
Also understand that BL for the HDD only gives you protection for data at rest, when the OS is running, BL offers no protection whatsoever to the data on the HDD. Only when the PC is off is the data protected from physical theft: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
Ben HartAuthor Commented:
Just installed WMF 4.0, rebooted and enable-bitlocker still is not recognized.  Am I doing something wrong?
0
 
Ben HartAuthor Commented:
Anyone else?  I'm having horrible luck on this topic and I don;t believe that deploying Bitlocker is such an unheard of thing here on EE.
0
 
McKnifeCommented:
WMF4 installs Powershell4, if I remember correctly. But you still need to import the bitlocker module in your script!
import-module BitLocker
...and there you go.
0
 
Ben HartAuthor Commented:
Ok.. sorry small IT department and lots of projects being pushed down.


That worked! I guess I didnt see any reference to a Bitlocker module to be imported but yes that part works now.  Now if I go with powershell to enable and turn on BL I just need to make sure there's an Import-module bitlocker line in the script correct?  Because it's running on the local machine...
0
 
McKnifeCommented:
Yes, right.

Please be aware that there is no way to use only a PIN.
win7:
-Startup key
-TPM
-TPM and PIN
-TPM+PIN+Startupkey

additionally in win8:
-Password

So in 7, you would have to use Startup keys (on USB) if no TPM is present. You could use a script like this:
"try tpm - if succesful, goto end. If not, use the protector -sk"
like
manage-bde c: -protectors -add -sk <path2usbdrive>
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 7
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now