Edit

Share via


New-CMRDVConfigureBDEPolicy

Create a policy to control the use of BitLocker on removable data drives.

Syntax

Default (Default)

New-CMRDVConfigureBDEPolicy
    [-PolicyState <State>]
    [-PreventEncryption]
    [-PreventSuspendAndDecrypt]
    [-DisableWildcardHandling]
    [-ForceWildcardHandling]
    [<CommonParameters>]

Description

Create a policy to control the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.

After BitLocker encrypts a removable data drive, it saves recovery information based on the policy that you set with the New-CMBMSClientConfigureCheckIntervalPolicy cmdlet.

When you enable BitLocker protection on a removable drive:

  • Create a password policy for removable data drives. For more information, see New-CMRDVPassPhrasePolicy.

  • For higher security, disable the following user and computer group policies under System > Removable Storage Access:

    • All Removable storage classes: Deny all access

    • Removable Disks: Deny write access

    • Removable Disks: Deny read access

Examples

Example 1: New policy that prevents encryption and decryption of removable drives

This example creates a new policy that's enabled with the following attributes:

  • Prevent users from applying BitLocker protection on removable data drives

  • Prevent users from suspending or decrypting BitLocker on removable data drives

New-CMRDVConfigureBDEPolicy -PolicyState Enabled -PreventEncryption -PreventSuspendAndDecrypt

Parameters

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PolicyState

Use this parameter to configure the policy.

  • Enabled: When you enable this policy, you control how users can configure BitLocker.

  • NotConfigured: If you don't configure this policy, users can use BitLocker on removable disk drives.

  • Disabled: If you disable this policy, users can't use BitLocker on removable disk drives.

Parameter properties

Type:State
Default value:None
Accepted values:Enabled, Disabled, NotConfigured
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PreventEncryption

Add this parameter to prevent the user from running the BitLocker setup wizard on a removable data drive.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PreventSuspendAndDecrypt

Add this parameter to prevent the user from removing BitLocker Drive encryption from the drive. They also can't suspend BitLocker encryption during system maintenance.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

Outputs

Microsoft.ConfigurationManagement.AdminConsole.BitlockerManagement.PolicyObject