Skip to main content

This worklet as written checks all drives on non-server Windows devices for BitLocker compliance. You can remark out or alter the first IF statement to account for more types of systems.



Compliance consists of full drive encryption AND protection status is on.



If you schedule it, it will report to the activity log ONLY the devices that aren’t fully compliant on every drive in the system.



If you manually run it (or change the evaluation to just: Exit 1), it will report compliance and non-compliance on ALL devices to the activity log unless you put the $HardwareType check from the evaluation into the remediation to pare down the types of devices checked.



Evaluation:



# PowerShell 4.0 and Above


# Windows 8 and later





$HardwareType = (Get-WmiObject -Class Win32_ComputerSystem).PCSystemType





# Exit if computer is known type and a server


# Remark out this line if you want all hardware checked, or change the if statement to the hardware you want


# $HardwareType = 0-Unknown, 1-Desktop, 2-Mobile, 3-Workstation, 4-Enterprise Server, 5-SOHO Server, 6-Appliance PC, 7-Performance Server, 8-Maximum


if ($HardwareType -gt 3) { Exit 0 }





#Get BitLocker status for All Drives


try { $encryption = Get-BitLockerVolume -ErrorAction Stop }


catch { Exit 1 }





# Count Drives and initialize lists for later output


$numDrives = $encryption.Count


$encCount = 0


$encrypted = @()


$unencrypted = @()





# Loop through each drive and see if it is Protected or Not


# Add to the appropriate list, Encrypted or Unencrypted


foreach ($drive in $encryption) {


    $encStatus = $drive.ProtectionStatus


    $encInProgress = $drive.VolumeStatus


    if ( ($encStatus -match 'On') -or ($encInProgress -match "EncryptionInProgress") ) {


        $encrypted += $drive.MountPoint


        $encCount++


    } else {


        $unencrypted += $drive.MountPoint


    }


}





# Determine Compliant based on if the number of Encrypted


# Drives matches the number of Total Drives


if ($encCount -eq $numDrives) {


    # Compliant


    exit 0


} else {


    # Non-Compliant


    exit 1


}


Remediation:



# Count Drives and initialize lists for later output


$encCount = 0


$encrypted = @()


$unencrypted = @()





#Get BitLocker status for All Drives


try { $encryption = Get-BitLockerVolume -ErrorAction Stop }


catch { Write-Output "Unable to determine BitLocker status" }





# Loop through each drive and see if it is Protected or Not


# Add to the appropriate list, Encrypted or Unencrypted


foreach ($drive in $encryption) {


    $encStatus = $drive.ProtectionStatus


    $encInProgress = $drive.VolumeStatus


    if ( ($encStatus -match 'On') -or ($encInProgress -match "EncryptionInProgress") ) {


        $encrypted += $drive.MountPoint


        $encCount++


    } else {


        $unencrypted += $drive.MountPoint


    }


}





# Output drive statuses so the can be seen in the Activity Log


Write-Output "Encrypted and Protected Drives: $encrypted"


Write-Output "-- Unencrypted or Unprotected Status Drives: $unencrypted"
Be the first to reply!

Reply


Terms & ConditionsCookie settings