Cmdlet Reference for Microsoft Bitlockeradministration and Monitoring(MBAM)

Cmdlet Reference for Microsoft BitLockerAdministration and Monitoring(MBAM)

Microsoft Corporation

Published: May 1, 2014

Applies To

Microsoft BitLockerAdministration and Monitoring(MBAM) 2.5

Feedback

Send suggestions and comments about this document to .

Copyright

This document is provided "as-is". Information and views expressed in this document, including URL and other Internet website references, may change without notice.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.

© 2014 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Bing, Excel, Hyper-V, InternetExplorer, Silverlight, SQLServer, Windows, WindowsIntune, WindowsPowerShell, WindowsServer, and WindowsVista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Revision History

Release Date / Changes
May 1, 2014 / Initial release of this document.

Contents

Disable-MbamCMIntegration

Disable-MbamReport

Disable-MbamWebApplication

Enable-MbamCMIntegration

Enable-MbamDatabase

Enable-MbamReport

Enable-MbamWebApplication

Get-MbamBitLockerRecoveryKey

Get-MbamCMIntegration

Get-MbamReport

Get-MbamTPMOwnerPassword

Get-MbamWebApplication

Test-MbamCMIntegration

Test-MbamDatabase

Test-MbamReport

Test-MbamWebApplication

Disable-MbamCMIntegration

Disable-MbamCMIntegration

Disables the MBAM System Center Configuration Manager Integration feature.

Syntax

Parameter Set: Default
Disable-MbamCMIntegration [-Force] [-RemoveComplianceData] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Disable-MbamCMIntegration cmdlet disables the Microsoft BitLocker Administration and Monitoring (MBAM) System Center Configuration Manager Integration feature.

Parameters

-Force

Indicates that the cmdlet performs the operation without prompting you for confirmation.

Aliases / none
Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-RemoveComplianceData

Indicates that this cmdlet removes compliance data, as well as reports, from Configuration Manager. If you do not specify this parameter, this cmdlet only removes the Configuration Manager reports.

Aliases / none
Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-Confirm

Prompts you for confirmation before executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters.

Examples

Example 1: Disable the System Center Configuration Manager Integration feature

This command disables the MBAM System Center Configuration Manager Integration feature after you confirm the operation.

PS C:\> Disable-MbamCMIntegration

Are you sure you want to perform this action?

Performing operation "Disable MBAM CM Integration feature"

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

Related topics

Enable-MbamCMIntegration

Get-MbamCMIntegration

Test-MbamCMIntegration

Disable-MbamReport

Disable-MbamReport

Disables the Reports feature.

Syntax

Parameter Set: Default
Disable-MbamReport [-Force] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Disable-MbamReport cmdlet disables the Microsoft BitLocker Administration and Monitoring (MBAM) Reports feature.

Parameters

-Force

Indicates that the cmdlet performs the operation without prompting you for confirmation.

Aliases / none
Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-Confirm

Prompts you for confirmation before executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters.

Examples

Example 1: Disable the Reports feature

This command disables the Reports feature. The command does not specify the Force parameter, and, therefore, the command prompts you for confirmation.

PS C:\> Disable-MbamReport

Are you sure you want to perform this action?

Performing operation "Disable MBAM Reports feature"

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

Related topics

Enable-MbamReport

Get-MbamReport

Test-MbamReport

Disable-MbamWebApplication

Disable-MbamWebApplication

Disables a web application.

Syntax

Parameter Set: ParameterSetAdministrationPortal
Disable-MbamWebApplication -AdministrationPortal [-Force] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: ParameterSetAgentService
Disable-MbamWebApplication -AgentService [-Force] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: ParameterSetSelfServicePortal
Disable-MbamWebApplication -SelfServicePortal [-Force] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Disable-MbamWebApplication cmdlet disables a Microsoft BitLocker Administration and Monitoring (MBAM) web application. This cmdlet removes any website files that the Enable-MbamWebApplication cmdlet installed when you enabled the application.

Parameters

-AdministrationPortal

Indicates that this cmdlet acts on the Administration and Monitoring Website web application.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-AgentService

Indicates that this cmdlet acts on the Agent Services web application.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-Force

Indicates that the cmdlet performs the operation without prompting you for confirmation.

Aliases / none
Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-SelfServicePortal

Indicates that this cmdlet acts on the Self-Service Portal web application.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-Confirm

Prompts you for confirmation before executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters.

Examples

Example 1: Disable Administration and Monitoring Website

This command disables the Administration and Monitoring Portal feature. The cmdlet prompts you to confirm the operation.

PS C:\> Disable-MbamWebApplication -AdministrationPortal

Are you sure you want to perform this action?

Performing operation "Disable MBAM Web Application (AdministrationPortal) feature"

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

Example 2: Disable the Self-Service Portal

This command disables the Self-Service Portal feature. The command specifies the Force parameter, and, therefore, the cmdlet does not prompt you to confirm the operation.

PS C:\> Disable-MbamWebApplication -SelfServicePortal -Force

Example 3: Disable Agent Services

This command disables the Agent Services feature. The cmdlet prompts you to confirm the operation.

PS C:\> Disable-MbamWebApplication -AgentService

Are you sure you want to perform this action?

Performing operation "Disable MBAM Web Application (AgentService) feature"

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

Related topics

Enable-MbamWebApplication

Get-MbamWebApplication

Test-MbamWebApplication

Enable-MbamCMIntegration

Enable-MbamCMIntegration

Enables the MBAM System Center Configuration Manager Integration feature.

Syntax

Parameter Set: ParameterSetCMReportsOnly
Enable-MbamCMIntegration -BitLockerProtectionBaselineLogicalName <String> -FixedDataDriveConfigurationItemLogicalName <String> -OperatingSystemDriveConfigurationItemLogicalName <String> -ReportsCollectionID <String> -ReportsOnly [-SkipValidation] [-SsrsInstance <String> ] [-SsrsServer <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: ParameterSetDefault
Enable-MbamCMIntegration [-SkipValidation] [-SsrsInstance <String> ] [-SsrsServer <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Enable-MbamCMIntegration cmdlet enables the Microsoft BitLocker Administration and Monitoring (MBAM) System Center Configuration Manager Integration feature. This feature integrates Configuration Manager with MBAM, and moves the compliance and reporting infrastructure into the Configuration Manager environment.

Parameters

-BitLockerProtectionBaselineLogicalName<String>

Specifies the logical name of the BitLocker protection baseline.

Aliases / BaselineLogicalName
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-FixedDataDriveConfigurationItemLogicalName<String>

Specifies the logical name of the fixed data drive configuration item.

Aliases / FDDLogicalName
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-OperatingSystemDriveConfigurationItemLogicalName<String>

Specifies the logical name of the operating system drive configuration item.

Aliases / OSDLogicalName
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-ReportsCollectionID<String>

Specifies an existing collection ID. This ID is used by the reports to set the default collection for which the reports display compliance data.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-ReportsOnly

Indicates that only the Configuration Manager reports are deployed.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-SkipValidation

Indicates that this cmdlet bypasses validation of parameter values. If you specify this parameter, the feature may not function properly after you enable it.

Aliases / none
Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-SsrsInstance<String>

Specifies the SQL Server Reporting Services instance. This instance hosts the Configuration Manager reports. This parameter is ignored if the server has System Center 2012Configuration Manager installed.

Aliases / none
Required? / false
Position? / named
Default Value / MSSQLSERVER
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-SsrsServer<String>

Specifies the server with the SQL Server Reporting Services point role. This server hosts the Configuration Manager reports. If you do not specify a server, the Configuration Manager reports are deployed to the local server.

Aliases / none
Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-Confirm

Prompts you for confirmation before executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters.

Examples

Example 1: Enable the Integration feature

This command enables the MBAM System Center Configuration Manager Integration feature on the local Configuration Manager server. The MBAM reports are deployed on the default SQL Server Reporting Services instance, MSSQLSERVER.

PS C:\> Enable-MbamCMIntegration

Related topics

Disable-MbamCMIntegration

Get-MbamCMIntegration

Test-MbamCMIntegration

Enable-MbamDatabase

Enable-MbamDatabase

Enables the Compliance and Audit and Recovery databases.

Syntax

Parameter Set: ParameterSetCompliance
Enable-MbamDatabase -AccessAccount <String> -ComplianceAndAudit -ConnectionString <String> -ReportAccount <String> [-DatabaseName <String> ] [-SkipValidation] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: ParameterSetRecovery
Enable-MbamDatabase -AccessAccount <String> -ConnectionString <String> -Recovery [-DatabaseName <String> ] [-SkipValidation] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Enable-MbamDatabase cmdlet enables a Compliance and Audit or a Recovery Database.

Parameters

-AccessAccount<String>

Specifies a domain user or group. This domain user or group has read/write permission to this database, which enables web applications to access the data and reports. If the value is a domain user, the WebServiceApplicationPoolCredential parameter in the Enable-MbamWebApplication cmdlet must use the same user account. If the value is a group, the domain account used by the WebServiceApplicationPoolCredential parameter must be a member of this group.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-ComplianceAndAudit

Indicates that the Compliance and Audit Database is enabled.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-ConnectionString<String>

Specifies the connection string used to connect to the data store. The Integrated Security field must be in the connection string.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-DatabaseName<String>

Specifies the name of the database. This parameter cannot contain leading or trailing spaces or non-printable characters. If you do not specify a name, the Compliance and Audit Database is given the name MBAM Compliance Status, and the Recovery database is given the name MBAM Recovery and Hardware.

Aliases / none
Required? / false
Position? / named
Default Value / "MBAM Compliance Status" for Compliance DB; "MBAM Recovery and Hardware" for Recovery DB
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-Recovery

Indicates that the Recovery Database is enabled.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-ReportAccount<String>

Specifies a domain user or group. This domain user or group has read-only permission to this database, which enables reports to access the compliance and audit data. If the value is a domain user, the ComplianceAndAuditDBCredential parameter in the Enable-MbamReport cmdlet must use the same user account. If the value is a domain user group, the domain account used by the ComplianceAndAuditDBCredential parameter must be a member of this group.

Aliases / none
Required? / true
Position? / named
Default Value / none
Accept Pipeline Input? / True (ByPropertyName)
Accept Wildcard Characters? / false

-SkipValidation

Indicates that this cmdlet bypasses validation of parameter values. If you specify this parameter, the feature may not function properly after you enable it.

Aliases / none
Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-Confirm

Prompts you for confirmation before executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required? / false
Position? / named
Default Value / none
Accept Pipeline Input? / false
Accept Wildcard Characters? / false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters.

Examples

Example 1: Enable the Compliance and Audit Database

This command enables the Compliance and Audit Database on MyDatabaseServer. The name of the database is MyComplianceDatabaseName. The domain account MyAccessAccount has read/write permission to the database, and MyReportAccount has read-only permission to the database for reporting purposes. The current Windows account credentials are used for authentication.

PS C:\> Enable-MbamDatabase -ComplianceAndAudit -ConnectionString "Integrated Security=SSPI;Data Source=MyDatabaseServer" -AccessAccount "MyDomain\MyAccessAccount" -ReportAccount "MyDomain\MyReportAccount" -DatabaseName "MyComplianceDatabaseName"

Example 2: Enable the Recovery Database

This command enables the Recovery database on MyRecoveryDatabaseServer. The name of the database is MyRecoveryDatabaseName. The domain account MyAccessAccount has read/write permission to the database. The command uses the current Windows account credentials for authentication.

PS C:\> Enable-MbamDatabase -Recovery -ConnectionString "Integrated Security=SSPI;Data Source=MyDatabaseServer" -AccessAccount "MyDomain\MyAccessAccount" -DatabaseName "MyRecoveryDatabaseName"

Related topics

Enable-MbamReport

Enable-MbamWebApplication

Test-MbamDatabase

Enable-MbamReport

Enable-MbamReport

Enables the Reports feature on the local server.

Syntax

Parameter Set: Default
Enable-MbamReport -ComplianceAndAuditDBCredential <PSCredential> -ReportsReadOnlyAccessGroup <String> [-ComplianceAndAuditDBConnectionString <String> ] [-SkipValidation] [-SsrsInstance <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Enable-MbamReport cmdlet enables the Microsoft BitLocker Administration and Monitoring (MBAM) Reports feature on a local Microsoft SQL Server Reporting Services instance.

Parameters

-ComplianceAndAuditDBConnectionString<String>

Specifies a connection string. The local SQL Server Reporting Services uses the string that this parameter specifies to connect to the Compliance and Audit Database feature. The connection string must contain values for the Integrated Security and Initial Catalog fields.