Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
New-CMTSStepEnableBitLocker
- Module:
- ConfigurationManager Module
Create an Enable BitLocker step, which you can add to a task sequence.
Syntax
Default (Default)
New-CMTSStepEnableBitLocker
[-CreateKeyOption <CreateKeyType>]
[-Drive <String>]
[-EnableSkipWhenNoValidTpm <Boolean>]
[-EncryptFullDisk]
[-EncryptionMethod <DiskEncryptionMethod>]
[-Pin <SecureString>]
[-TpmAndPin]
[-TpmAndUsb]
[-TpmOnly]
[-UsbOnly]
[-WaitForBitLockerComplete]
[-Condition <IResultObject[]>]
[-ContinueOnError]
[-Description <String>]
[-Disable]
-Name <String>
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
This cmdlet creates a new Enable BitLocker step object. Then use the Add-CMTaskSequenceStep cmdlet to add the step to a task sequence. For more information on this step, see About task sequence steps: Enable BitLocker.
Note
Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>. For more information, see getting started.
Examples
Example 1
This example creates an object for the Enable BitLocker step for TPM only with several other options.
It then gets a task sequence object, and adds this new step to the task sequence at index 11.
$step = New-CMTSStepEnableBitLocker -Name "Enable BitLocker" -TpmOnly -CreateKeyOption ActiveDirectoryDomainServices -EncryptionMethod AES_256 -EnableSkipWhenNoValidTpm $false -EncryptFullDisk $false -WaitForBitLockerComplete $false
$tsNameOsd = "Default OS deployment"
$tsOsd = Get-CMTaskSequence -Name $tsNameOsd -Fast
$tsOsd | Add-CMTaskSequenceStep -Step $step -InsertStepStartIndex 11
Parameters
-Condition
Specify a condition object to use with this step. To get this object, use one of the task sequence condition cmdlets. For example, Get-CMTSStepConditionVariable.
Parameter properties
| Type: | IResultObject[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Conditions |
Parameter sets
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | cf |
Parameter sets
-ContinueOnError
Add this parameter to enable the step option Continue on error. When you enable this option, if the step fails, the task sequence continues.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-CreateKeyOption
Use one of the following values to specify where to create the recovery key:
ActiveDirectoryDomainServices: Create the recovery password and escrow it in Active Directory (recommended)DoNotCreateRecoveryKey: Encrypt the drive, but don't create a recovery password.
Parameter properties
| Type: | CreateKeyType |
| Default value: | None |
| Accepted values: | ActiveDirectoryDomainServices, DoNotCreateRecoveryKey |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Description
Specify an optional description for this task sequence step.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Disable
Add this parameter to disable this task sequence step.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | DisableThisStep |
Parameter sets
-DisableWildcardHandling
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Drive
Specify the drive to encrypt. If you don't specify this parameter, the step encrypts the current OS drive.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | SpecificDrive |
Parameter sets
-EnableSkipWhenNoValidTpm
Applies to version 2006 and later. Set this parameter to true to skip this step for computers that don't have a TPM or when the TPM isn't enabled.
Parameter properties
| Type: | Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-EncryptFullDisk
Add this parameter to use full disk encryption. By default, the Enable BitLocker step only encrypts used space on the drive.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-EncryptionMethod
Applies to version 2006 and later. Use this parameter to specify the disk encryption mode. By default or if not specified, the step continues to use the default encryption method for the OS version.
Parameter properties
| Type: | DiskEncryptionMethod |
| Default value: | None |
| Accepted values: | DoNotSpecify, AES_128, AES_256, XTS_AES128, XTS_AES256, TotalCount |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | DiskEncryptionMethod |
Parameter sets
-ForceWildcardHandling
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Name
Specify a name for this step to identify it in the task sequence.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | StepName |
Parameter sets
-Pin
If you use the parameter TpmAndPin, use this parameter to specify the PIN value. Specify 4-20 integers as a secure string.
Parameter properties
| Type: | SecureString |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-TpmAndPin
Add this parameter to configure key management for the OS drive to use a TPM and a personal identification number (PIN). When you specify this option, BitLocker locks the normal boot process until the user provides the PIN. If you use this parameter, use Pin to specify the PIN value. You can't combine this parameter with TpmAndUsb, TpmOnly, or UsbOnly.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-TpmAndUsb
Add this parameter to configure key management for the OS drive to use a TPM and a startup key stored on a USB flash drive. When you select this option, BitLocker locks the normal boot process until a USB device that contains a BitLocker startup key is attached to the computer. You can't combine this parameter with TpmAndPin, TpmOnly, or UsbOnly.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-TpmOnly
Add this parameter to configure key management for the OS drive to only use a TPM. You can't combine this parameter with TpmAndPin, TpmAndUsb, or UsbOnly.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-UsbOnly
Add this parameter to configure key management for the OS drive to only use a startup key stored on a USB flash drive. When you select this option, BitLocker locks the normal boot process until a USB device that contains a BitLocker startup key is attached to the computer. You can't combine this parameter with TpmAndPin, TpmAndUsb, or TpmOnly.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-WaitForBitLockerComplete
Add this parameter to configure the step to wait for BitLocker to complete the drive encryption process on all drives before continuing task sequence execution.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-WhatIf
Shows what would happen if the cmdlet runs. It doesn't run the cmdlet.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | wi |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
None
Outputs
IResultObject
Notes
For more information on this return object and its properties, see SMS_TaskSequence_EnableBitLockerAction server WMI class.
Related Links
Feedback
Was this page helpful?