Introduction
The xBitlocker module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is
a collection of DSC Resources produced by the PowerShell Team. This module contains the xBLAutoBitlocker, xBLBitlocker, xBLTpm resources. This DSC
Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.
All of the resources in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program
or service. The ""x" in xBitlocker stands for experimental, which means that these resources will be fix forward
and monitored by the module owner(s).
Please leave comments, feature requests, and bug reports in the Q & A tab for this module.
If you would like to modify xBitlocker module, feel free. When modifying, please update the module name, resource friendly name,
and MOF class name (instructions below). As specified in the license, you may copy or modify this resource as long as they are used on the Windows Platform.
For more information about Windows PowerShell Desired State Configuration, check out the blog posts on the
PowerShell Blog (
this is a good starting point). There are
also great community resources, such as PowerShell.org, or
PowerShell Magazine. For more information on the DSC Resource Kit, check out
this blog post.
Installation
To install xBitlocker module
- Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder
To confirm installation:
- Run Get-DSCResource to see that xBLAutoBitlocker, xBLBitlocker, xBLTpm are among the DSC Resources listed
Requirements
This module requires that both the 'Bitlocker' and 'RSAT-Feature-Tools-Bitlocker' features are installed. It also requires the latest version of PowerShell (v4.0, which ships in Windows 8.1 or Windows Server 2012R2). To easily use PowerShell 4.0 on older operating systems,
install WMF 4.0. Please read the installation instructions
that are present on both the download page and the release notes for WMF 4.0.
Description
The xBitlocker module contains the xBLAutoBitlocker, xBLBitlocker, xBLTpm DSC Resources. This DSC
Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.
Details
xBLAutoBitlocker is used to automatically enable Bitlocker on drives of type Fixed or Removable. It does not work on Operating System drives. xBLAutoBitlocker has the following properties. Where no description is listed, properties correspond directly to Enable-Bitlocker parameters.
-
*DriveType:The type of volume, as reported by Get-Volume, to auto apply Bitlocker to
-
*PrimaryProtector:The primary protector type to be used for AutoBitlocker. Valid values are: "AdAccountOrGroupProtector", "PasswordProtector", "Pin", "RecoveryKeyProtector", "RecoveryPasswordProtector", "StartupKeyProtector", or "TpmProtector"
-
MinDiskCapacityGB:If specified, only disks this size or greater will auto apply Bitlocker
-
AutoUnlock:Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock
-
AdAccountOrGroup
-
AdAccountOrGroupProtector
-
EncryptionMethod
-
HardwareEncryption
-
Password
-
PasswordProtector
-
Pin
-
RecoveryKeyPath
-
RecoveryKeyProtector
-
RecoveryPasswordProtector
-
Service
-
SkipHardwareTest
-
StartupKeyPath
-
StartupKeyProtector
-
TpmProtector
-
UsedSpaceOnly
xBLBitlocker has the following properties. Where no description is listed, properties correspond directly to Enable-Bitlocker parameters.
-
*MountPoint:The MountPoint name as reported in Get-BitLockerVolume
-
*PrimaryProtector:The primary protector type to be used for AutoBitlocker. Valid values are: "AdAccountOrGroupProtector", "PasswordProtector", "Pin", "RecoveryKeyProtector", "RecoveryPasswordProtector", "StartupKeyProtector", or "TpmProtector"
-
AutoUnlock:Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock
-
AllowImmediateReboot:Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false.
-
AdAccountOrGroup
-
AdAccountOrGroupProtector
-
EncryptionMethod
-
HardwareEncryption
-
Password
-
PasswordProtector
-
Pin
-
RecoveryKeyPath
-
RecoveryKeyProtector
-
RecoveryPasswordProtector
-
Service
-
SkipHardwareTest
-
StartupKeyPath
-
StartupKeyProtector
-
TpmProtector
-
UsedSpaceOnly
xBLTpm is used to initialize a TPM chip using Initialize-TPM. xBLTpm has the following properties.
-
*Identity:Not actually used, so could be anything
-
AllowClear:Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server® 2012 standards
-
AllowPhysicalPresence:Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue.
-
AllowImmediateReboot:Whether the computer can rebooted immediately after initializing the TPM
Renaming Requirements
When making changes to these resources, we suggest the following practice:
-
Update the following names by replacing MSFT with your company/community name and replacing the "x" with "c" (short for "Community") or another prefix of your choice:
-
Module name (ex: xBitlocker becomes cBitlocker)
-
Resource folder (ex: MSFT_xBLBitlocker becomes Contoso_cBLBitlocker)
-
Resource Name (ex: MSFT_xBLBitlocker becomes Contoso_cBLBitlocker)
-
Resource Friendly Name (ex: xBLBitlocker becomes cBLBitlocker)
-
MOF class name (ex: MSFT_xBLBitlocker becomes Contoso_cBLBitlocker)
-
Filename for the <resource>.schema.mof (ex: MSFT_xBLBitlocker.schema.mof becomes Contoso_cBLBitlocker.schema.mof)
-
Update module and metadata information in the module manifest
-
Update any configuration that use these resources
We reserve resource and module names without prefixes ("x" or "c") for future use (e.g. "MSFT_BLAutoBitlocker, MSFT_BLBitlocker, MSFT_BLTpm" or "BLAutoBitlocker, BLBitlocker, BLTpm"). If the next version of Windows Server ships with "MSFT_BLAutoBitlocker, MSFT_BLBitlocker, MSFT_BLTpm" resources, we don't want to break any configurations that use any community modifications. Please keep a prefix such as "c" on all community modifications.
Versions
1.0.0.0
-
Initial release with the following resources
-
xBLAutoBitlocker
-
xBLBitlocker
-
xBLTpm
Example: ConfigureBitlockerOnOSDrive
This example enables Bitlocker on an Operating System drive. The example code for ConfigureBitlockerOnOSDrive is located in "ConfigureBitlockerOnOSDrive.ps1" in the module folder under ...\xExchange\Examples\ConfigureBitlockerOnOSDrive.
Example: ConfigureBitlockerAndAutoBitlocker
Enables Bitlocker on an Operating System drive, and automatically enables Bitlocker on all drives of type 'Fixed'. The example code for ConfigureBitlockerAndAutoBitlocker is located in "ConfigureBitlockerAndAutoBitlocker.ps1" in the module folder under ...\xExchange\Examples\ConfigureBitlockerAndAutoBitlocker.