Worklet: Install BitLocker and store keys in device tag

4 years ago
September 22, 2020
38 replies
1897 views

JHagstrom
Pro
27 replies

Hello everyone,

This is just a script that will store bitlocker recovery keys in the device tags for whatever device the script is run on. Thought this would be an easier way to manage any bitlocker keys for those who will want to install it through automox rather than manually exporting keys or storing them via AD.

Only thing that needs changing is the API Key. Currently there is a placeholder of just “INSERT API KEY HERE” and you must add in your own for it to work.

Remediation Code:

$apiKey = "INSERT API KEY HERE"
$apiUrl = "https://console.automox.com/api/servers/"
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Bearer $apiKey")
#$headers.Add("Cookie", "ax_session=eyJpdiI6IlpqM3NxdU03Mk81dHg0RjBkOGZRQmc9PSIsInZhbHVlIjoiL0Z2QVljTVF3SkV2L0Jod0lKMUFHQ0dMalMxQVNNdkswNWRRb2hkN1NiTHBFcWk4S2pXempXU2hpQzhybHE4b3loREhXRUxKSHZPMDBmMHVHNERzVlU2enphQm1sTTA3U2FCSmNlU0lJSjdEKzdDRHRqZXBlNXFSUThWb01zNk5UdXZheXpUNlExeDJKRXdONlZBbFZsV0tYc1hVMkl1Sm1QMFBvcGxKSEZYMkJNS3FkOXpPSStVV1JwNGVEN3ZlYkl5dHhvZnNHNURzR1FjMEUvZCthVyt4S09ZQmt1R2xaQUFzOGJpTmozTVcrdWtMNVdNQUR1cUNwUi9lU0lDamJVVkoydm84UEdsR2NldEVENVQ2TTdweWVkeGJtdjJaeHp6MlVpSUZXUE92MXZqbU0vSjRFcG9CWDVjZkYzeGEycnN5RGZKbDJReFIvbzdKdXRoZ0VVRnEweXhGSHd1dWozWlhTSUhNMVNVMEVGV0Faakw3ZVVWUFI5NDRSSDJKR3BhdkZ5Yk9EeklkNGtPOEhLb1B0T3pJci9JMFpDMUk5dExXZmJINHZmSDk1c3c5QlcyTWwxZEs0V1orVlNmWjFYdVRUZTg1WVNFMVhsdG9STThYMmduWEc4T1A5VGpoU2d6WVRlWXY1N3ByVkFlRVlOcExqT1hxdnpIRHN1RzMiLCJtYWMiOiIzNzc3MzM2MWM0MmQxMTA4NjliZTk2MzEwOTg1NWQ5NWNmZTZhODBlZTQyZGQwMTM3YTI3YTJhMTgwYTg5NzcwIn0%3D")

$response = Invoke-RestMethod $apiUrl -Method 'GET' -Headers $headers -Body $body
$response | ConvertTo-Json


$currentMachineName = $env:COMPUTERNAME;

foreach($server in $response){
	$name = $server.name;	
	if($currentMachineName -eq $name){
		$id = $server.id
		$organization_id = $server.organization_id
		$server_group_id = $server.server_group_id
		#Bitlocker Start
		$keyPath = 'C:\temp'		
		$toEncrypt = Get-BitLockerVolume | Where-Object { $_.VolumeStatus -match 'Decrypted' }	
		
		# Loop through each Unencrypted Drives
		# Enable Bitlocker and Export their Recovery Keys
		foreach ( $drive in $toEncrypt ) 
		{
		    $driveLetter = $drive.MountPoint.Replace(':','')
		    try {
		        #Enable Bitlocker
		        Enable-BitLocker -MountPoint $driveLetter -EncryptionMethod Aes128 -RecoveryPasswordProtector -SkipHardwareTest | Out-Null
		        
				#Export Key and Key ID to a File
				$recID = (Get-BitLockerVolume -MountPoint $driveLetter).KeyProtector.KeyProtectorID
				$recKey = (Get-BitLockerVolume -MountPoint $driveLetter).KeyProtector.RecoveryPassword
				$keyAndID = "Recovery Key: $recKey | and Recovery ID: $recID"
				#Set-Content -Path "$keyPath\BitlockerRecoveryKey_$driveLetter.txt" -Force -Value "Recovery Key ID: $recID"
				#Add-Content -Path "$keyPath\BitlockerRecoveryKey_$driveLetter.txt" -Value "Recovery Key: $recKey"
				
				#Modify device through API
				## Now calling modify device API and set recID,recKey in tags
				$headers.Add("Content-Type", "application/json")
				$apiUrl = "https://console.automox.com/api/servers/$($id)?o=$($organization_id)"
				$body = "{
				    `"server_group_id`": $server_group_id,
				    `"tags`": [
				        `"RecoveryID: $recID`",
						`"RecoveryKey: $recKey`"
				    ]
				}"
				
				$body 
				$response = Invoke-RestMethod $apiUrl -Method 'PUT' -Headers $headers -Body $body
				$response | ConvertTo-Json
				#endregion here is modify device API code ends
				$KeyProperties = @()
				$KeyObj = @()
				$Computer = $env:Computername
				$Keys = Get-BitlockerVolume -MountPoint C:
				$selected = $Keys | Select-Object -ExpandProperty KeyProtector
				$Selected[1] | select-Object KeyprotectorID, RecoveryPassword
				Foreach ($S in $Selected) {
					$KeyProperties = [pscustomobject]@{
							Computer = $Computer
							KeyProtectorID = $S.KeyProtectorID
							RecoveryPassword = $S.RecoveryPassword
					}
					$KeyObj += $KeyProperties
					}
				$KeyObj[1] | Export-CSV "C:\$($Computer)_Keys.csv" -NoTypeInformation
				Write-host $keyAndID
		    } catch {
		        Write-Output "Unable to Encrypt $($drive.MountPoint)"
		    }
		}
		#end of bitlocker code
	
	}
}

Show first post

Page 2 / 2

JHagstrom
Author
Pro
27 replies
3 years ago
May 17, 2021

That would be the Remediation code. For Evaluation you could do can do something has simple as:
exit 1
or if you want to verify the machine is encrypted you could try something like this for the Evaluation:

$BLinfo = Get-Bitlockervolume

if($blinfo.ProtectionStatus -eq 'On' -and $blinfo.EncryptionPercentage -eq '100'){
    Write-Output "'$env:computername - '$($blinfo.MountPoint)' is encrypted."
    exit 1
} else {
	Write-Output "'$env:computername - '$($blinfo.MountPoint)' is not encrypted."
    exit 0
}

You should also test this on a test group before running it on any production machines.

jcropanese
Novice
16 replies
3 years ago
June 9, 2021

Sorry…just getting back to testing this as I have been testing other scripts. I put this remediation code in and just put {exit 1} for the evaluation, input our API and tested on a device that has bit locker configured. The activity log shows the device name but the details section is BLANK and there are no tags added in the device info. Is there something i am missing?

Harlan
Novice
8 replies
3 years ago
July 12, 2021

Just wanted to say I’m in the same boat.

Mrichards
Power User
58 replies
3 years ago
July 13, 2021

Initial testing shows that maybe Automox changed the way they accept arguments in their API for this call. Looks like it broke in our environment as well. Using the API docs listed here; we are getting a “400 Bad request”

LaurieL-Automox
Automox Employee
8 replies
3 years ago
July 16, 2021

I did some testing earlier and it looks like there’s some issues with the $body parameter in the worklet. The string prefix and terminator characters are missing, and there are some backticks in there that probably shouldn’t be. The $body parameter should look something like this:

$body = @"
{
    "server_group_id": $server_group_id,
    "tags": [
			    "RecoveryID: $recID",
			    "RecoveryKey: $recKey"
	 ]
}
@"

Mrichards
Power User
58 replies
3 years ago
July 16, 2021

I have been doing a ton of work on this as well, and agree the issue lies within the body parameter. However, I think the issue we are seeing is that “groupID” is a required parameter, instead of optional as the docs list (my hunch is that it used to be optional, but must have been changed on the backend of the API).

LaurieL-Automox
Automox Employee
8 replies
3 years ago
July 16, 2021

Yes, the server_group_id is a required parameter. I’m not sure exactly when this might have changed, however it is called out in the yaml file as required. I’ll go ahead and update the docs page.

Mrichards
Power User
58 replies
3 years ago
July 16, 2021

Is there any way we can request GroupID to be investigated to go back to optional? Refactoring our scripts to include this would be another layer of complexity that isn’t desired, or required.

LaurieL-Automox
Automox Employee
8 replies
3 years ago
July 16, 2021

I’m looking into that. Will get back to you as soon as I have more information.

LaurieL-Automox
Automox Employee
8 replies
3 years ago
July 16, 2021

@Mrichards I ran it by our engineers, and it looks like the server_group_id has been a required body parameter for a long time. I’m not sure whether it would be possible in the future to make it optional, but they’re looking into it. It was only marked as optional on the docs page due to an oversight.

Currently, passing the PUT /servers/{id} API call without that parameter will result in a 400 error, as you’ve described.

nondescript
Novice
7 replies
2 years ago
February 24, 2023

Is this still working/resolved, or broken due to the server_group_ID at this point?

Juan Greene
Rookie
2 replies
9 months ago
June 14, 2024

Bumping this old thread to recommend a modification.

Instead of $env:COMPUTERNAME, use [System.Net.Dns]::GetHostName().

$env returns the BIOS name, whereas Automox stores the full hostname. If your full hostname is over 15 characters in length, the matching could fail.

bwright
Rookie
1 reply
8 months ago
July 25, 2024

This worklet is awesome, I am testing it on some of our devices and was wondering if you could help me with one thing? The worklet works as expected and stores the ID and Key as tags, but it also wipes away any tags already set for the machine. Is there a way to alter this so it doesn’t wipe away the other tags that already exist? Thanks!

Page 2 / 2

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

how to apply new changes into clean operation for records already in the db?icon

MDM model Pros/Cons of splitting Entity based on Type

IDs in MDM

Setup/Tuning Kafka streaming in MDM

Usage of Rematch and Reprocess jobs

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings