Enabling BitLocker via WMI or powershell: script help.

I am looking into deploying Bitlocker company wide here in the next few months.  From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest.  But I need some help enabling it via script pushed by the same GPO.

Either WMI or powershell, however I do prefer powershell.  But here's my hangup: Not all of the hosts have TPM support, so the single script should enable BL and use TPM if present or use PIN if not.
LVL 14
Ben HartAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

McKnifeConnect With a Mentor Commented:
Yes, right.

Please be aware that there is no way to use only a PIN.
-Startup key
-TPM and PIN

additionally in win8:

So in 7, you would have to use Startup keys (on USB) if no TPM is present. You could use a script like this:
"try tpm - if succesful, goto end. If not, use the protector -sk"
manage-bde c: -protectors -add -sk <path2usbdrive>
Kent DyerConnect With a Mentor IT Security Analyst SeniorCommented:
Stolen from Microsoft..

PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 –UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

Be sure you have Set-ExecutionPolicy set correctly on your clients too.
Ben HartAuthor Commented:
Ahh so -TPMandPINprotector will use TPM if available but if not it won't complain about it?
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Ben HartAuthor Commented:
On my Win7 Enterprise VM powershell does not recognize the term enable-bitlocker
Kent DyerIT Security Analyst SeniorCommented:
but..  Wait..  Are you logging into a Win2008 or above DC?  If the server is newer than you Win2007, you may need to update your powershell or run the commands from your server/DC..
Ben HartAuthor Commented:
Sorry.. I'm going to be running this script from within a GPO but I was trying to take your (MSFT) code and test it on a Win7 Ent virtual machine.
Ben HartAuthor Commented:
If i cant run this on a windows 7 pc, then would it still run correct if being initiated by a GPO rather than me typing the commands in?
You would have to distribute a newer version of powershell. I think the Bitlocker commands came with 3.0 but I might be mistaken and it was in 4.0 - both installable on win7.
Without powershell, there's still batch: manage-bde.exe can also do all you need.
Rich RumbleSecurity SamuraiCommented:
Also understand that BL for the HDD only gives you protection for data at rest, when the OS is running, BL offers no protection whatsoever to the data on the HDD. Only when the PC is off is the data protected from physical theft: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
Ben HartAuthor Commented:
Just installed WMF 4.0, rebooted and enable-bitlocker still is not recognized.  Am I doing something wrong?
Ben HartAuthor Commented:
Anyone else?  I'm having horrible luck on this topic and I don;t believe that deploying Bitlocker is such an unheard of thing here on EE.
McKnifeConnect With a Mentor Commented:
WMF4 installs Powershell4, if I remember correctly. But you still need to import the bitlocker module in your script!
import-module BitLocker
...and there you go.
Ben HartAuthor Commented:
Ok.. sorry small IT department and lots of projects being pushed down.

That worked! I guess I didnt see any reference to a Bitlocker module to be imported but yes that part works now.  Now if I go with powershell to enable and turn on BL I just need to make sure there's an Import-module bitlocker line in the script correct?  Because it's running on the local machine...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.