The xBitlocker module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the xBLAutoBitlocker, xBLBitlocker, xBLTpm resources. This DSC Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

This is the branch containing the latest release - no contributions should be made directly to this branch.

This is the development branch to which contributions should be proposed by contributors as pull requests. This development branch will periodically be merged to the master branch, and be released to PowerShell Gallery.

Please check out common DSC Resources contributing guidelines.

To install xBitlocker module

• Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder

To confirm installation:

• Run Get-DSCResource to see that xBLAutoBitlocker, xBLBitlocker, xBLTpm are among the DSC Resources listed

This module requires that both the 'Bitlocker' and 'RSAT-Feature-Tools-Bitlocker' features are installed. It also requires the latest version of PowerShell (v4.0, which ships in Windows 8.1 or Windows Server 2012R2). To easily use PowerShell 4.0 on older operating systems, install WMF 4.0. Please read the installation instructions that are present on both the download page and the release notes for WMF 4.0.

The **xBitlocker ** module contains the xBLAutoBitlocker, xBLBitlocker, xBLTpm DSC Resources. This DSC Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.

xBLAutoBitlocker is used to automatically enable Bitlocker on drives of type Fixed or Removable. It does not work on Operating System drives. xBLAutoBitlocker has the following properties. Where no description is listed, properties correspond directly to Enable-Bitlocker parameters.

• *DriveType:The type of volume to auto apply Bitlocker to. Valid values are "Fixed" or "Removable"
• *PrimaryProtector:The primary protector type to be used for AutoBitlocker. Valid values are: "AdAccountOrGroupProtector", "PasswordProtector", "Pin", "RecoveryKeyProtector", "RecoveryPasswordProtector", "StartupKeyProtector", or "TpmProtector"
• MinDiskCapacityGB:If specified, only disks this size or greater will auto apply Bitlocker
• AutoUnlock:Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock
• AdAccountOrGroup
• AdAccountOrGroupProtector
• EncryptionMethod
• HardwareEncryption
• Password
• PasswordProtector
• Pin
• RecoveryKeyPath
• RecoveryKeyProtector
• RecoveryPasswordProtector
• Service
• SkipHardwareTest
• StartupKeyPath
• StartupKeyProtector
• TpmProtector
• UsedSpaceOnly

xBLBitlocker has the following properties. Where no description is listed, properties correspond directly to Enable-Bitlocker parameters.

• *MountPoint:The MountPoint name as reported in Get-BitLockerVolume

• *PrimaryProtector:The primary protector type to be used for AutoBitlocker. Valid values are: "AdAccountOrGroupProtector", "PasswordProtector", "Pin", "RecoveryKeyProtector", "RecoveryPasswordProtector", "StartupKeyProtector", or "TpmProtector"

• AutoUnlock:Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock

• AllowImmediateReboot:Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false.

• AdAccountOrGroup

• AdAccountOrGroupProtector

• EncryptionMethod

• HardwareEncryption

• Password

• PasswordProtector

• Pin

• RecoveryKeyPath

• RecoveryKeyProtector

• RecoveryPasswordProtector

• Service

• SkipHardwareTest

• StartupKeyPath

• StartupKeyProtector

• TpmProtector

• UsedSpaceOnly

xBLTpm is used to initialize a TPM chip using Initialize-TPM. xBLTpm has the following properties.

• *Identity:Not actually used, so could be anything

• AllowClear:Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server® 2012 standards

• AllowPhysicalPresence:Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue.

• AllowImmediateReboot:Whether the computer can rebooted immediately after initializing the TPM

• Converted appveyor.yml to install Pester from PSGallery instead of from Chocolatey.
• Added Codecov support.
• Updated appveyor.yml to use the one in template.
• Added folders for future unit and integration tests.
• Added Visual Studio Code formatting settings.
• Added .gitignore file.
• Added markdown lint rules.
• Fixed encoding on README.md.
• Added PowerShellVersion = '4.0', and updated copyright information, in the module manifest.
• Fixed issue which caused Test to incorrectly succeed on fully decrypted volumes when correct Key Protectors were present (issue #13)
• Fixed issue which caused xBLAutoBitlocker to incorrectly detect Fixed vs Removable volumes. (issue #11)
• Fixed issue which made xBLAutoBitlocker unable to encrypt volumes with drive letters assigned. (issue #10)
• Fixed an issue in CheckForPreReqs function where on Server Core the installation of the non existing Windows Feature 'RSAT-Feature-Tools-BitLocker-RemoteAdminTool' was erroneously checked. (issue #8)

• Versioning updates

• Reduced the number of acceptable values for PrimaryProtector in xBLAutoBitlocker and xBLBitlocker.
• Changed the properties that are returned by Get-TargetResource in xBLAutoBitlocker, xBLBitlocker, and xBLTpm.
• Fixed issue which caused protectors to be continually re-added.

• Initial release with the following resources
  • xBLAutoBitlocker
  • xBLBitlocker
  • xBLTpm

This example enables Bitlocker on an Operating System drive. The example code for ConfigureBitlockerOnOSDrive is located in ConfigureBitlockerOnOSDrive.ps1.

Enables Bitlocker on an Operating System drive, and automatically enables Bitlocker on all drives of type 'Fixed'. The example code for ConfigureBitlockerAndAutoBitlocker is located in ConfigureBitlockerAndAutoBitlocker.ps1.