Question

Enforce BitLocker Encryption

  • 10 November 2023
  • 0 replies
  • 59 views

Badge

Hello! I have used this Automox approved worklet in the past but now in the Activity log it only outputs “1” 

 

Computer is on 22H2 Windows 10 Pro

PowerShell 5

 

Eval

<#
.SYNOPSIS
Enforce Bitlocker Encryption - Evaluation Script
OS Support: Windows 8(Server 2012) and above
Powershell: 4.0 and above
Run Type: Evaluation or OnDemand
.DESCRIPTION
This Worklet is designed to grant an Admin the ability to encrypt physical drives on a client device using BitLocker.
A TPM chip is required to perform the default actions of this worklet. If a non-TPM device is encountered, the Worklet
will exit without making any changes, and a note will be added to the Activity Log.

Usage:
The Evaluation script uses only 1 variable that controls the scope of drives to be encrypted. This variable should be
the same value as the Remediation script to ensure devices are targeted correctly. Values provided should be between
quotes after the "=". Use only one value per variable. Multiple values are not supported.

$drive: This will specify the drives to be encrypted. There are three options to choose from: "All","OS", or an individual
drive letter.

"ALL" - Checks all physical drives to see if they are encrypted.
"OS" - Only checks drives that are defined by Windows as the "OperatingSystem" drive.
You may also specify a drive letter known to be present on the device and check for encryption. Only include the drive
letter, without the ":".
.EXAMPLE
$drive = "all"
.EXAMPLE
$drive = "os"
.EXAMPLE
$drive = "c"
.NOTES
Author: eliles
Date: March 30, 2021
#>

######## Make changes within this block ########
$drive = "all"
################################################

# TPM Failsafe
$chkTpm = Get-Tpm
if(!($chkTpm.TpmPresent))
{
Write-Output "Not Applicable: TPM is not Present"
Exit 0
}

# Evaluate based on Drive types
if($drive -eq 'ALL')
{
if(Get-BitLockerVolume | Where-Object {$_.VolumeStatus -match 'decrypted'})
{
Write-Output "Unencrypted Drive Detected - Flagging for remediation"
Exit 1
}
}
elseif($drive -eq 'OS')
{
if(Get-BitLockerVolume | Where-Object {$_.VolumeStatus -match 'decrypted' -and $_.VolumeType -match 'operatingsystem'})
{
Write-Output "Unencrypted Drive Detected - Flagging for remediation"
Exit 1
}
}
elseif($drive.Length -eq 1)
{
if(Get-BitLockerVolume | Where-Object {$_.VolumeStatus -match 'decrypted' -and $_.MountPoint -match "$drive"})
{
Write-Output "Unencrypted Drive Detected - Flagging for remediation"
Exit 1
}
}
Write-Output "All selected drives encrypted or encrypting"
Exit 0

Remediation 

<#
.SYNOPSIS
Enforce Bitlocker Encryption - Remediation Script
OS Support: Windows 8(Server 2012) and above
Powershell: 4.0 and above
Run Type: Evaluation or OnDemand
.DESCRIPTION
This Worklet is designed to grant an Admin the ability to encrypt physical drives on a client device using BitLocker.
A TPM chip is required to perform the default actions of this worklet. If a non-TPM device is encountered, the Worklet
will exit without making any changes, and a note will be added to the Activity Log.

Usage:
There are four variables that can be customized when deploying the Worklet. These variables specify the drives to be
encrypted, the type of encryption to be used, the type of recovery method to be used, and the path to where a recovery
key will be stored if applicable. Values provided should be between quotes after the "=". Use only one value per
variable. Multiple values are not supported. $drive, $encryption, and $recoveryType are all required for the Worklet to
function correctly. $keyPath is only required if the $recoveryType is set to either "Key" or "Both".

$drive: This will specify the drives to be encrypted. There are three options to choose from "All","OS", or an individual
drive letter.

"ALL" - Attempts to encrypt all unencrypted physical drives found on the device.
"OS" - Only attempt to encrypt drives that are defined by Windows as the "OperatingSystem" drive.
You may also specify any drive letter known to be present on the device and encrypt if unencrypted. If the drive is not
found on the device it will return a message in the Activity Log. Only include the drive letter, without the ":".

$encryption: This variable specifies the type of encryption to be used. You can choose between Advanced Encryption Standard (AES)
algorithms AES-128 or AES-256, or you can use hardware encryption if it is supported by the disk hardware.

"AES128" - AES-128 uses a secure algorithm that is virtually impervious to traditional attacks. It is recommeded for
performance critial drives.
"AES256" - AES-256 is a more secure algorithm than AES-128, at the cost of performance. Keep this in mind when deploying
to older/slower devices or devices with high drive utilization.
"Hardware" - This will leverage the drives internal "Hardware" encryption if present and supported. If you are unsure if
the device supports Hardware encryption, it is better to choose one of the AES variants instead.

$recoveryType: Here you will specificy the type of recovery protector to be used. In all cases the TPM chip will be assigned
as a protector, as well as the assigned recovery type. It is recommended to have users create their own logon PIN within the
BitLocker Control Panel applet before enforcing any signon policies.

"Key" - Using the recovery key option will place an encrypted .BEK file in the $keyPath location for a user to back up to
a USB drive. Please note that .BEK files are considered protected Operating System files and will only be visible if enabled
in the folder options. Protector ID and BEK path will be output to the Activity Log.
"Password" - The recovery password method will generage a random 48 character password to recover the drive. The Protector ID
and 48 digit password will be output to the Activity Log. Be sure to store this information as soon as possible as Activity
Log data may not store this forever.
"Both" - This will generate the Recovery Key, as well as generate the random 48 character password and output both
to the Activity log.

$keyPath = This variable is only required when using the "Key" or "Both" recovery types. Specify the path where the recovery
key should be stored on a local device. When using external USB storage devices, be sure that the drive letter is the same on
all of the targeted deivces before deploying. If the path is not present, it will attempt to create the path before continuing.
.EXAMPLE
$drive = "all"
$encryption = "AES128"
$recoveryType = "both"
$keyPath = "c:\recovery"
.EXAMPLE
$drive = "c"
$encryption = "AES256"
$recoveryType = "key"
$keyPath = "c:\recovery"
.EXAMPLE
$drive = "OS"
$encryption = "AES128"
$recoveryType = "password"
.NOTES
Author: eliles
Date: March 30, 2021
#>

######## Make changes within this block ########
$drive = "all"
$encryption = "AES256"
$recoveryType = "both"
$keyPath = "c:\BitLockerRecoveryKey"
################################################

# TPM Failsafe
$chkTpm = Get-Tpm
if($chkTpm.TpmPresent)
{
If(!($chkTpm.TpmEnabled -and $chkTpm.TpmReady))
{
Write-Output "Error: Unable to Encrypt as TPM must be Enabled and Ready"
Exit 1
}
}
else
{
Write-Output "Error: TPM is not Present"
Exit 1
}

# Variable fail-safes
if($drive -notin ('all','OS') -and $drive.Length -ne 1 -or $drive -is [array])
{
Write-Output "ERROR: Drive specification not supported - Please specify ALL, OS, or Drive letter and try again."
Exit 1
}
if($drive.Length -eq 1)
{
if(!(Test-Path ("$drive" + ':')))
{
Write-Output "ERROR: Specified Drive not available."
Exit 1
}
}
if($encryption -notin ('aes128','aes256','hardware') -or $encryption -is [array])
{
Write-Output "ERROR: Unsupported encryption type - Please specify AES128, AES256, or Hardware and try again."
Exit 1
}
if($recoveryType -notin ('Key','password','both') -or $recoveryType -is [array])
{
Write-Output "ERROR: Unsupported recovery type - Please specify Key, Password, or Both."
Exit 1
}

# Gather decrypted drives based on $drive
if($drive -eq 'ALL')
{
$toEncrypt = Get-BitLockerVolume | Where-Object {$_.VolumeStatus -match 'decrypted'}
}
elseif($drive -eq 'OS')
{
$toEncrypt = Get-BitLockerVolume | Where-Object {$_.VolumeStatus -match 'decrypted' -and $_.VolumeType -match 'operatingsystem'}
}
elseif($drive.Length -eq 1)
{
$toEncrypt = Get-BitLockerVolume | Where-Object {$_.VolumeStatus -match 'decrypted' -and $_.MountPoint -match "$drive"}
}
else
{
Write-Output "ERROR: Unable to verify drive selection"
Exit 1
}

# Create recovery key path if not found
if($recoveryType -in ('key','both'))
{
if(!(test-path $keyPath))
{
try
{
New-Item -ItemType Directory -Path $keyPath -Force -ErrorAction Stop | Out-Null
}
catch
{
Write-Output "Unable to create keypath directory at $keypath"
Exit 1
}
}
}

# Encrypt collected drives
foreach($d in $toEncrypt)
{
try
{
if($recoveryType -in ('key','both'))
{
Enable-BitLocker -MountPoint $($d.MountPoint) -EncryptionMethod $encryption -RecoveryKeyProtector -RecoveryKeyPath $keyPath -SkipHardwareTest | Out-Null
$bitlockerKey = (Get-BitLockerVolume -MountPoint $d.MountPoint).KeyProtector | Where-Object {$_.KeyProtectorType -match 'ExternalKey'}
Write-Output "Recovery Key:" "ID: $($bitlockerKey.KeyProtectorId) $keyPath\$($bitlockerKey.KeyFileName)"
}
if($recoveryType -in ('password','both'))
{
Enable-BitLocker -MountPoint $($d.MountPoint) -EncryptionMethod $encryption -RecoveryPasswordProtector -SkipHardwareTest -WarningAction SilentlyContinue | Out-Null
$bitlockerKey2 = (Get-BitLockerVolume -MountPoint $d.MountPoint).KeyProtector | Where-Object {$_.KeyProtectorType -match 'RecoveryPassword'}
Write-Output "Recovery Password:" "ID: $($bitlockerKey2.KeyProtectorId) Password: $($bitlockerKey2.RecoveryPassword)"
}
}
catch
{
Write-Output "Unable to Encrypt $($d.MountPoint)"
}
}

 

 

 


0 replies

Be the first to reply!

Reply