Skip to main content
Solved

Suspend Bitlocker Encryption or Decrypt Drives

  • July 10, 2024
  • 1 reply
  • 92 views
B
Forum|alt.badge.img

I was able to successfully use the “Enforce Bitlocker Encryption” worklet on a few test machines.

However, I am curious if anyone knows a way to use Automox to suspend encryption in order to run updates or how to simply decrypt drives with a worklet.

The idea of encrypting drives with a worklet is helpful, but manually suspending the encryption and decrypting the devices takes a lot of work.

Best answer by MarkH-Automox

Hi Bwright,

I took the Evaluation code from the Bitlocker Compliance check worklet Catalog template and flipped the compliance exit codes. There are a few lines that can be stripped out to make this shorter:

<#
    Usage:
    There is only one variable to be modified in this worklet.

    $maxSystemtype: Set this variable to limit the maximum PCSystemType to evaluate. Currently the script is set
    to a value of 3 with will exclude devices with a PCSystemType higher than a workstation (ie:Servers). If you prefer
    to run this evaluation against all devices, then a value of '8' should be specified. Refer to the list below for
    reference and change $masSystemtype as needed.

    PCSystemType
    0 = Unknown
    1 = Desktop
    2 = Mobile
    3 = Workstation
    4 = Enterprise Server
    5 = SOHO Server
    6 = Appliance PC
    7 = Performance Server
    8 = Maximum

.EXAMPLE
    $maxSystemtype = '3'
.LINK
    https://docs.microsoft.com/en-us/dotnet/api/microsoft.powershell.commands.pcsystemtype?view=powershellsdk-1.1.0
.NOTES
    Author: Tony Wiese
    Date: March 19, 2021
#>

####### EDIT WITHIN THIS BLOCK #######
$maxSystemtype = '3'
######################################

$getSystype = (Get-CimInstance -ClassName Win32_ComputerSystem).PCSystemType

# Exit if systemtype is higher than $maxSystemtype
if ($getSystype -gt $maxSystemtype)
{
    Write-Output "Device Excluded"
    Exit 0
}

#Get BitLocker status for All Drives
try
{
    $encryption = Get-BitLockerVolume -ErrorAction Stop
}
catch
{
    Exit 1
}

# Count Drives and initialize lists for later output
$numDrives = $encryption.Count
$encCount = 0
$encrypted = @()
$unencrypted = @()

# Loop through each drive and see if it is Protected or Not
# Add to the appropriate list, Encrypted or Unencrypted
foreach ($drive in $encryption)
{
    $encStatus = $drive.ProtectionStatus
    $encInProgress = $drive.VolumeStatus
    if (($encStatus -match 'On') -or ($encInProgress -match "EncryptionInProgress"))
    {
        $encrypted += $drive.MountPoint
        $encCount++
    }
    else
    {
        $unencrypted += $drive.MountPoint
    }
}

# Determine Compliant based on if the number of Encrypted
# Drives matches the number of Total Drives
if ($encCount -eq $numDrives)
{
    Write-Output "Device has Bitlocker enabled"
    Exit 1
}
Write-Output "Device does NOT have bitlocker enabled"
Exit 0

If a device is found to contain an encrypted drive, run the Remediation code and decrypt it (thanks OTTO):
 

# ======================
# Otto AI Generated Code
# ======================
# Get all BitLocker enabled drives
$bitlockerDrives = Get-BitLockerVolume | Where-Object {$_.ProtectionStatus -eq 'On'}

# Disable BitLocker on each drive
foreach ($drive in $bitlockerDrives) {
    Disable-BitLocker -MountPoint $drive.MountPoint -Confirm:$false
    Write-Output "BitLocker disabled on drive $($drive.MountPoint)"
}

 

 

Automox will take care of handling bitlocker during updates. You won’t have to disable/re-enable bitlocker around patch policies.

View original
How helpful was this post to you?

1 reply

M
Forum|alt.badge.img
  • MarkH-Automox
  • Automox Employee
  • 130 replies
  • Answer
  • July 10, 2024

Hi Bwright,

I took the Evaluation code from the Bitlocker Compliance check worklet Catalog template and flipped the compliance exit codes. There are a few lines that can be stripped out to make this shorter:

<#
    Usage:
    There is only one variable to be modified in this worklet.

    $maxSystemtype: Set this variable to limit the maximum PCSystemType to evaluate. Currently the script is set
    to a value of 3 with will exclude devices with a PCSystemType higher than a workstation (ie:Servers). If you prefer
    to run this evaluation against all devices, then a value of '8' should be specified. Refer to the list below for
    reference and change $masSystemtype as needed.

    PCSystemType
    0 = Unknown
    1 = Desktop
    2 = Mobile
    3 = Workstation
    4 = Enterprise Server
    5 = SOHO Server
    6 = Appliance PC
    7 = Performance Server
    8 = Maximum

.EXAMPLE
    $maxSystemtype = '3'
.LINK
    https://docs.microsoft.com/en-us/dotnet/api/microsoft.powershell.commands.pcsystemtype?view=powershellsdk-1.1.0
.NOTES
    Author: Tony Wiese
    Date: March 19, 2021
#>

####### EDIT WITHIN THIS BLOCK #######
$maxSystemtype = '3'
######################################

$getSystype = (Get-CimInstance -ClassName Win32_ComputerSystem).PCSystemType

# Exit if systemtype is higher than $maxSystemtype
if ($getSystype -gt $maxSystemtype)
{
    Write-Output "Device Excluded"
    Exit 0
}

#Get BitLocker status for All Drives
try
{
    $encryption = Get-BitLockerVolume -ErrorAction Stop
}
catch
{
    Exit 1
}

# Count Drives and initialize lists for later output
$numDrives = $encryption.Count
$encCount = 0
$encrypted = @()
$unencrypted = @()

# Loop through each drive and see if it is Protected or Not
# Add to the appropriate list, Encrypted or Unencrypted
foreach ($drive in $encryption)
{
    $encStatus = $drive.ProtectionStatus
    $encInProgress = $drive.VolumeStatus
    if (($encStatus -match 'On') -or ($encInProgress -match "EncryptionInProgress"))
    {
        $encrypted += $drive.MountPoint
        $encCount++
    }
    else
    {
        $unencrypted += $drive.MountPoint
    }
}

# Determine Compliant based on if the number of Encrypted
# Drives matches the number of Total Drives
if ($encCount -eq $numDrives)
{
    Write-Output "Device has Bitlocker enabled"
    Exit 1
}
Write-Output "Device does NOT have bitlocker enabled"
Exit 0

If a device is found to contain an encrypted drive, run the Remediation code and decrypt it (thanks OTTO):
 

# ======================
# Otto AI Generated Code
# ======================
# Get all BitLocker enabled drives
$bitlockerDrives = Get-BitLockerVolume | Where-Object {$_.ProtectionStatus -eq 'On'}

# Disable BitLocker on each drive
foreach ($drive in $bitlockerDrives) {
    Disable-BitLocker -MountPoint $drive.MountPoint -Confirm:$false
    Write-Output "BitLocker disabled on drive $($drive.MountPoint)"
}

 

 

Automox will take care of handling bitlocker during updates. You won’t have to disable/re-enable bitlocker around patch policies.

B
1 person likes this
  • B
    bwright

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings