New-CMScCompliancePolicy

Create a compliance policy to associate an object identifier from a smart card certificate to a BitLocker-protected drive.

Syntax

New-CMScCompliancePolicy
   [-PolicyState <State>]
   [-CertificateOid <String>]
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [<CommonParameters>]

Description

Create a compliance policy to associate an object identifier from a smart card certificate to a BitLocker-protected drive. The policy setting applies when you enable BitLocker on a device.

The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker identifies the certificates it can use to authenticate a user certificate to a BitLocker-protected drive. It matches the object identifier in the certificate with the object identifier that you define with this policy.

The default object identifier is 1.3.6.1.4.1.311.67.1.1.

Note

BitLocker doesn't require that a certificate have an EKU attribute. If the certificate has an EKU, set it to an object identifier (OID) that matches the OID that you configure for BitLocker.

Examples

Example 1: New default enabled policy

This example creates a new policy that's enabled and uses the default OID.

New-CMScCompliancePolicy -PolicyState Enabled

Example 2: New enabled policy with a custom OID

This example creates a new policy that's enabled and uses a custom OID.

New-CMScCompliancePolicy -PolicyState Enabled -CertificateOid "1.2.3.4.5.6.7.8.9"

Parameters

-CertificateOid

Use this parameter to specify a custom OID.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PolicyState

Use this parameter to configure the policy.

  • Enabled: If you enable this policy setting, use the -CertificateOid parameter to specify the object identifier that matches the object identifier in the smart card certificate.

  • Disabled or NotConfigured: If you disable or don't configure this policy setting, it uses the default object identifier.

Type:State
Accepted values:Enabled, Disabled, NotConfigured
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

Microsoft.ConfigurationManagement.AdminConsole.BitlockerManagement.PolicyObject