New-CMRDVConfigureBDEPolicy
Create a policy to control the use of BitLocker on removable data drives.
Syntax
New-CMRDVConfigureBDEPolicy
[-PolicyState <State>]
[-PreventEncryption]
[-PreventSuspendAndDecrypt]
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[<CommonParameters>] Description
Create a policy to control the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.
After BitLocker encrypts a removable data drive, it saves recovery information based on the policy that you set with the New-CMBMSClientConfigureCheckIntervalPolicy cmdlet.
When you enable BitLocker protection on a removable drive:
Create a password policy for removable data drives. For more information, see New-CMRDVPassPhrasePolicy.
For higher security, disable the following user and computer group policies under System > Removable Storage Access:
All Removable storage classes: Deny all access
Removable Disks: Deny write access
Removable Disks: Deny read access
Examples
Example 1: New policy that prevents encryption and decryption of removable drives
This example creates a new policy that's enabled with the following attributes:
Prevent users from applying BitLocker protection on removable data drives
Prevent users from suspending or decrypting BitLocker on removable data drives
New-CMRDVConfigureBDEPolicy -PolicyState Enabled -PreventEncryption -PreventSuspendAndDecryptParameters
-DisableWildcardHandling
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ForceWildcardHandling
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PolicyState
Use this parameter to configure the policy.
Enabled: When you enable this policy, you control how users can configure BitLocker.NotConfigured: If you don't configure this policy, users can use BitLocker on removable disk drives.Disabled: If you disable this policy, users can't use BitLocker on removable disk drives.
| Type: | State |
| Accepted values: | Enabled, Disabled, NotConfigured |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PreventEncryption
Add this parameter to prevent the user from running the BitLocker setup wizard on a removable data drive.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PreventSuspendAndDecrypt
Add this parameter to prevent the user from removing BitLocker Drive encryption from the drive. They also can't suspend BitLocker encryption during system maintenance.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None
Outputs
Microsoft.ConfigurationManagement.AdminConsole.BitlockerManagement.PolicyObject