New-CMRDVConfigureBDEPolicy
Create a policy to control the use of BitLocker on removable data drives.
Syntax
Default (Default)
New-CMRDVConfigureBDEPolicy
[-PolicyState <State>]
[-PreventEncryption]
[-PreventSuspendAndDecrypt]
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[<CommonParameters>]
Description
Create a policy to control the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.
After BitLocker encrypts a removable data drive, it saves recovery information based on the policy that you set with the New-CMBMSClientConfigureCheckIntervalPolicy cmdlet.
When you enable BitLocker protection on a removable drive:
Create a password policy for removable data drives. For more information, see New-CMRDVPassPhrasePolicy.
For higher security, disable the following user and computer group policies under System > Removable Storage Access:
All Removable storage classes: Deny all access
Removable Disks: Deny write access
Removable Disks: Deny read access
Examples
Example 1: New policy that prevents encryption and decryption of removable drives
This example creates a new policy that's enabled with the following attributes:
Prevent users from applying BitLocker protection on removable data drives
Prevent users from suspending or decrypting BitLocker on removable data drives
New-CMRDVConfigureBDEPolicy -PolicyState Enabled -PreventEncryption -PreventSuspendAndDecrypt
Parameters
-DisableWildcardHandling
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ForceWildcardHandling
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-PolicyState
Use this parameter to configure the policy.
Enabled: When you enable this policy, you control how users can configure BitLocker.NotConfigured: If you don't configure this policy, users can use BitLocker on removable disk drives.Disabled: If you disable this policy, users can't use BitLocker on removable disk drives.
Parameter properties
| Type: | State |
| Default value: | None |
| Accepted values: | Enabled, Disabled, NotConfigured |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-PreventEncryption
Add this parameter to prevent the user from running the BitLocker setup wizard on a removable data drive.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-PreventSuspendAndDecrypt
Add this parameter to prevent the user from removing BitLocker Drive encryption from the drive. They also can't suspend BitLocker encryption during system maintenance.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.