New-CMBMSFDVEncryptionPolicy

Create a policy to manage whether to use BitLocker encryption on fixed data drives.

Syntax

New-CMBMSFDVEncryptionPolicy
   [-PolicyState <State>]
   [-AutoUnlock <Dispensation>]
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [<CommonParameters>]

Description

Create a policy to manage whether to use BitLocker encryption on fixed data drives.

When you enable this policy, also create a password policy for fixed data drives. The only exception is if you allow or require the use of auto-unlock for fixed data drives. For more information, see New-CMFDVPassPhrasePolicy.

If you require the use of auto-unlock for fixed data drives, encrypt the OS volume too.

Examples

Example 1: New enabled policy that prohibits auto-unlock

This example creates a new policy that's enabled and doesn't allow auto-unlock.

New-CMBMSFDVEncryptionPolicy -PolicyState Enabled -AutoUnlock Prohibit

Parameters

-AutoUnlock

Allow, require, or prohibit BitLocker to automatically unlock any encrypted data drive. To use auto-unlock, also require BitLocker to encrypt the OS drive.

Type:Dispensation
Accepted values:Allow, Require, Prohibit
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PolicyState

Use this parameter to configure the policy.

  • Enabled: If you enable this policy, the user has to put all fixed data drives under the BitLocker protection, and BitLocker encrypts the drives.

  • Disabled: If you disable this policy, the user can't put fixed data drives under BitLocker protection. If you disable this policy after BitLocker encrypts fixed data drives, BitLocker decrypts the fixed data drives.

  • NotConfigured: If you don't configure this policy, BitLocker doesn't require users to put fixed data drives under protection.

Type:State
Accepted values:Enabled, Disabled, NotConfigured
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

Microsoft.ConfigurationManagement.AdminConsole.BitlockerManagement.PolicyObject