Worklet: BitLocker Compliance Checker

This worklet as written checks all drives on non-server Windows devices for BitLocker compliance. You can remark out or alter the first IF statement to account for more types of systems.

Compliance consists of full drive encryption AND protection status is on.

If you schedule it, it will report to the activity log ONLY the devices that aren’t fully compliant on every drive in the system.

If you manually run it (or change the evaluation to just: Exit 1), it will report compliance and non-compliance on ALL devices to the activity log unless you put the $HardwareType check from the evaluation into the remediation to pare down the types of devices checked.

Evaluation:

# PowerShell 4.0 and Above
# Windows 8 and later

$HardwareType = (Get-WmiObject -Class Win32_ComputerSystem).PCSystemType

# Exit if computer is known type and a server
# Remark out this line if you want all hardware checked, or change the if statement to the hardware you want
# $HardwareType = 0-Unknown, 1-Desktop, 2-Mobile, 3-Workstation, 4-Enterprise Server, 5-SOHO Server, 6-Appliance PC, 7-Performance Server, 8-Maximum
if ($HardwareType -gt 3) { Exit 0 }

#Get BitLocker status for All Drives
try { $encryption = Get-BitLockerVolume -ErrorAction Stop }
catch { Exit 1 }

# Count Drives and initialize lists for later output
$numDrives = $encryption.Count
$encCount = 0
$encrypted = @()
$unencrypted = @()

# Loop through each drive and see if it is Protected or Not
# Add to the appropriate list, Encrypted or Unencrypted
foreach ($drive in $encryption) {
    $encStatus = $drive.ProtectionStatus
    $encInProgress = $drive.VolumeStatus
    if ( ($encStatus -match 'On') -or ($encInProgress -match "EncryptionInProgress") ) {
        $encrypted += $drive.MountPoint
        $encCount++
    } else {
        $unencrypted += $drive.MountPoint
    }
}

# Determine Compliant based on if the number of Encrypted
# Drives matches the number of Total Drives
if ($encCount -eq $numDrives) {
    # Compliant
    exit 0
} else {
    # Non-Compliant
    exit 1
}

Remediation:

# Count Drives and initialize lists for later output
$encCount = 0
$encrypted = @()
$unencrypted = @()

#Get BitLocker status for All Drives
try { $encryption = Get-BitLockerVolume -ErrorAction Stop }
catch { Write-Output "Unable to determine BitLocker status" }

# Loop through each drive and see if it is Protected or Not
# Add to the appropriate list, Encrypted or Unencrypted
foreach ($drive in $encryption) {
    $encStatus = $drive.ProtectionStatus
    $encInProgress = $drive.VolumeStatus
    if ( ($encStatus -match 'On') -or ($encInProgress -match "EncryptionInProgress") ) {
        $encrypted += $drive.MountPoint
        $encCount++
    } else {
        $unencrypted += $drive.MountPoint
    }
}

# Output drive statuses so the can be seen in the Activity Log
Write-Output "Encrypted and Protected Drives: $encrypted"
Write-Output "-- Unencrypted or Unprotected Status Drives: $unencrypted"
2 Likes