/build/static/layout/Breadcrumb_cap_w.png

KACE SMA | Bitlocker

07/28/2020 added a new custom inventory rule (03a_CI_BITLOCKER_PASSWORD.kpkg) to the download package. This reports only the recovery password which will bring you more joy of creating a report or searching for the value.

05/20/2020 moved the compatibility matrix to the bottom & tested Win 10 2004.

04/25/2019 added a compatibility matrix.

03/29/2019 added some modifications. Thanks to Andrew Lubchansky for helping me creating this.


Feel free to check your support status of Windows 10 with this report: https://www.itninja.com/blog/view/kace-sma-windows-10-end-of-life-report 

Hi all,

 

It’s a long time since I have posted a blog here. Today I want to share with you my KITLOCKER (KACE & Bitlocker ;) ) stuff. In this article i will mention different import-packages. You can download all of them here:  DOWNLOAD

If you need assistance in importing these files to your KACE SMA feel free to contact your local partner, your local sales rep or have a look to this KB article: https://support.quest.com/kace-systems-management-appliance/kb/116949/how-to-import-and-export-resources

 

First: These scripts are Win10 only and tested with x64 1809 Pro and Ent. Also, you need to have an TPM Module in your devices which needs to be activated and the OS needs to be the owner (default in Win10)! You can double check this in your KACE SMA device inventory:

bitlocker_00.png

 

My scenario is that Win10 devices should use Bitlocker with Aes256 bit to secure the hard disk. The disk should be automatically unlocked by TPM during boot (no password needed). If something went wrong or the hardware has changed there should be a recovery key which can be entered. This key should be stored in KACE SMA and not in AD. Also, there should be no GPO involved.

 

The Bitlocker information in your device inventory should look like this if there is currently nothing set up on your device:

bitlocker_01.png

 

To start we should first import a smart label which groups all devices where a TPM module is ready for the use with Bitlocker and no encryption technology is used.

 

TPM Based Bitlocker Ready

bitlocker_02.png


Of course, you could add a filter like “OS Name” contains “Windows 10” (or any other filter which matches your environment) to make sure that only your clients will get Bitlocker enabled.

 

KACE SMA will now put all the devices where we can enable Bitlocker into this Label. There is a simple PowerShell command which will enable Bitlocker and start the encryption. Also it will add a recovery password as a key protector which will be needed in case of hardware changes. You can run this by a daily schedule and all devices which already have Bitlocker enabled will not be affected if you use the “TPM Based Bitlocker Ready” smart label which I have shown above as a target for the script..

 

[TW] Bitlocker enable TPM  & Password

Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest
sleep -Seconds 15
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

This will start the encryption process of the C: drive. The user can’t abort it and it will also survive reboots.

bitlocker_03.png

 

You can also check the actual state in your KACE SMA device inventory:


 

If the encryption has been completed by the device, it will automatically fall out of the “TPM Based Bitlocker Ready” smart label. Now we have a secured hard disk which will be automatically unlocked during the bootup by the TPM module. Now we need a custom inventory to store all the key protector information’s in our SMA device inventory. This can be done with a simple custom inventory rule.

 

Inventory: Bitlocker Recovery


A simpler which is perfect for reporting:


Good to know is that devices which need the recovery key will display a screen where users can see the ID of the numerical password. If they call your helpdesk team and don’t know which computer it is they can give you the ID and you can search for it in your KACE SMA device inventory or build a report for that.

 bitlocker_08.png

 

If you want to be sure that clients will always have a recovery password as a key protector you can additionally create a smart label. This will check the right key protectors after every inventory of the device. This could be used for running a script which will then add a recovery password as a key protector. This could be useful if admins change configurations local on the endpoints


Bitlocker missing Protector


All clients which fall into this label can then run the following KACE script on a daily schedule.


[TW] Bitlocker add protector

Add-BitLockerKeyProtector ...


This is the basic setup you can use to manage your hard disk encryption for your endpoints. You can think about creating notification which will alert you if a device has Bitlocker missing or a wrong configuration. I hope that this article helps you, creating your own KITLOCKER strategy. If there is anything unclear feel free to use the comment section.

 

Kind Regards

Timo


OS Common Name
Build Version
Compatible
1507 (RTM) Pro & Ent
10240
No
1511 Pro & Ent
10586
No
1607 Pro & Ent
14393
No
1703 Pro & Ent
15063
No
1709 Pro & Ent
16299
Yes
1803 Pro  & Ent
17134
Yes
1809 Pro & Ent
17763
Yes
1903 Pro & Ent
18362
Yes
1909 Pro & Ent
18363Yes
2004 Pro & Ent19041
Yes

Posted 5 years ago 20270 views

Comments

  • A little confused about the "Encryption=None" and the "Protection=Off" in the 1st Smart Label. Can you give an explanation? It seems like "Encryption=None" would be the only one you'd want to check. Setting it up in my environment, with both of those checks I get no results, but if I remove the "Protection=Off" I see only those machines which do not have Bitlocker enabled and running. Those would seem like the ones that I want to enable Bitlocker on...

    EDIT: NVM, I was using DDPE Protection Status, as it populates first when you type in the label search box, so disregard my comment.

    EDIT2: Had to specify full path for the powershell add protector command w/ "sysnative" to get it to work for me.

    Good job! - RD94 5 years ago
    • Hi RD94,
      thanks you very much for your feedback!
      Kind Regards
      Timo - Timokirch 5 years ago
  • I tested this a week ago and it worked on several test units. I expanded the test pool to include a group of 8 production laptops and get the following error below. I am somewhat new at this. Any ideas or direction? Thanks. Enable-BitLocker : The term 'Enable-BitLocker' is not recognized as the name of a cmdlet,
    function, script file, or operable program. Check the spelling of the name, or if a path was
    included, verify that the path is correct and try again.
    At C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\526\bitlocker_enable.ps1:1 char:1
    + Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes25 ...
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Enable-BitLocker:String) [], CommandNotFoundExcept
    ion
    + FullyQualifiedErrorId : CommandNotFoundException
    Add-BitLockerKeyProtector : The term 'Add-BitLockerKeyProtector' is not recognized as the name of
    a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
    path was included, verify that the path is correct and try again.
    At C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\526\bitlocker_enable.ps1:3 char:1
    + Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPassw ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Add-BitLockerKeyProtector:String) [], CommandNotFo
    undException
    + FullyQualifiedErrorId : CommandNotFoundException
    Launched Process: powershell.exe - jpack1221 5 years ago
    • Hi jpack1221,
      thanks for your reply and your intrest in the Kitlocker scripts. Which OS is running on your 8 production laptops and which powershell version are they using?
      Thanks and kind regards
      Timo - Timokirch 5 years ago
      • Microsoft Windows 10 Pro x64 and powershell is version 5 - jpack1221 5 years ago
    • i can confirm that powershell version 5 should run the command "enable-bitlocker" and "Add-BitLockerKeyProtector".

      Is the buildversion of windows10 different then from your test units? Or are any execution policies in place? A general blocker could be the AV agent. The KACE agent directories (programdata and program files) should be generally excluded. - Timokirch 5 years ago
  • yes, the test units are build 17763 and the production units are 14393. No execution polies and I contacted our AV team to exclude the KACE agent directories already - jpack1221 5 years ago
    • Hi jpack1221,
      i have tested the script with 1809 (17763) and already with 1903. I will run a test with 1607 (14393) tomorrow. Are you using LTSB? If not you should migrate to a newer build since 1607 pro is out of support since April 10, 2018. LTSB is still fine :)
      Kind regards
      Timo - Timokirch 5 years ago
  • We are not on LTSB. Looking at that now. I'm going to upgrade one of the production units to 1809 and test it. I will let you know. Thanks again! - jpack1221 5 years ago
  • We are not on LTSB. Looking at that now. I'm going to upgrade one of the production units to 1809 and test it. I will let you know. Thanks again! - jpack1221 5 years ago
    • Hi jpack1221,

      i reinstalled my lab multiple times this morning. I can tell you that the script is not working until 1709 (16299). Beginning with 1709 Pro & Ent the script is doing what it should. Also 1903 is compatible with the script. There is a simple report which shows you which builds you are using in your environment and how long they have support. I will update the report on a regular base.

      https://www.itninja.com/blog/view/kace-sma-windows-10-end-of-life-report

      Kind Regards
      Timo - Timokirch 5 years ago
  • Is there any way to get the import package outside of the download link? Whenever I click the link it wants me to enter a customer support email but since my company manages KACE I am unable to get the information required to create a KACE customer support account/email :( - jonniipalos 5 years ago
    • Nevermind I finally managed to get it! - jonniipalos 5 years ago
  • *EDIT* I have solved this question

    First off, Thank you for this write up! This is a great way to use KACE.
    Im currently looking at encryption options for the company I work for. I have recently learned that MS auto enables Encryption when certain configurations are met.
    (see this article: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker)

    I would like to create a smart label to see if any devices have been encrypted with bitlocker that have met these conditions. Im using the following smart label lines.
    Encryption Technology Contains Bitlocker
    and
    Encryption Enable = True
    *Ive also tried Drive protected is True

    From what ive found on a device that had been auto enabled is that Bitlocker will still show off in control panel, but when you run a PS command of Get-BitlockerVolume, it will show 100% encrypted.

    How would you set up the smart label to find these devices?

    Thank you. - JonPillon 5 years ago
  • Thanks for posting this Timokirch. I successfully enabled the smart lable to gather an inventory group to send this script to. I'm running the script as local system. As a test, rather than the smart label group, I sent it to a test box member of that group. I watched the BL Control Panel twitch 3 or 4 times during script execution, script executed successfully but BL did not initiate. Will it not work if we're storing recovery passwords in AD? From the Output log: Group Policy settings require that a recovery password be specified before encrypting the
    drive.
    Thanks! - anonymous_116816 5 years ago
    • Hi Bobtrapps,
      sorry for the delayed answer but it seems that you need to modify the scripts in your configuration. I have build this scenario for users who do not have put any policies regarding BL in place. The advantage of storing the key in SMA is that you can even enable BL for devices which are not currently connected to you ad and you have reporting and search options :)

      Kind Regards - Timokirch 5 years ago
  • Thank you, Timokirch. Can you give me more detail for custom inventory to get the Bitlocker Recovery key? I couldn't get it to return any information. - pamzhao 5 years ago
    • Hi Pamzhao, what does your device retun if you run the CI field manually in a cmd? Can you see the recovery key there`? - Timokirch 5 years ago
  • Tested Win10 2004 > working like a charm - Timokirch 4 years ago
    • Might want to fix the date on when you made the last update. It says 2012. I don't think Win 10 - 2004 was out yet back then.
      BTW, this is great content. I am working on doing this, but I am going to have AD also store the info. Adds some complexity, but gives me some redundancy as well. - brummel 4 years ago
      • Hi Brummel, change is in and thanks for your feedback. Happy to hear that this blog post help you to implement a personalised Bitlocker strategy.
        Kind Regards
        Timo - Timokirch 4 years ago
  • Hi Timokirch,
    Is there a script I can use to capture machines that already bitlocker encrypted? - sam240 4 years ago
    • If you download the "kitlocker.zip" file from the link in the original message and import the contents to your SMA (or at least just "03_CI_BITLOCKER_RECOVERY.kpkg"), you will get a Custom Inventory Rule that shows the recovery key of machines that are encrypted. It is very helpful!
      If you are just looking to list out all computers in your Inventory that are encrypted, you can do an Advanced Search under Inventory > Devices using filters such as:
      Encryption Technology = Bitlocker
      Encryption Enabled is True
      System Volume is True
      Encryption Percentage = 100 - nick.wood 4 years ago
      • Hi there I tried to upload the package in Kace SMA CI but I was not able get the inventory info . Do I need to specify and shellcommandreturn text (syntax) . Or do I need to upload these .Kpkg to Kace SMA SAMBA CLIENTDROP SHARE ?

        Need help please trying to get the recovery key for encrypted devices on Kace. I create CI AND linked the .kpkg in SMA BUT BUT WAS NOT SUCCESSFUL and got no result.
        Thanks in advance! - amzee1 3 years ago
  • Looks like the download link is broken, any chance that can be re-uploaded? - Drave 4 years ago
    • Nevermind, it was asking me to verify my account with a valid email address with quest support account.. - Drave 4 years ago
  • Thank you for this fantastic write up! Quick question. Will this information stay in an asset for a device? We rotate computers quite often and devices will fall out of inventory. If the keys only stay in as long as the device is inventoried that could be an issue for us.

    Thank you! - Kevin296 3 years ago
    • this info will only stay if the system is in inventory (even if it is not inventoried since a long time) because this is how the custom inventory rules work. If you inventory the system again the info will come back with the new inventory item.
      Same for the smart label. - Nico_K 3 years ago
  • Need help guys, i am unable to download the Kitlocker packages. Whenever i hit download it is asking me to "Please enter a valid customer email for https://support.quest.com/". not sure why I need to do this. - kayroccs 3 years ago
    • Files shared in the customer only area of ITNinja communities require an active support account. You can enter this in your support email address (the email address used to login at support.quest.com) user profile on ITNinja and then access the file. - amyd 3 years ago
      • I'm a little confused but what do you mean in your last statement? What am i entering in my user profile? - kayroccs 3 years ago
  • Disregard, i found the setting and entered my Kace email address. thanks - kayroccs 3 years ago
  • thank you for the kitlocer. i am running into a problem after adding the test laptops to the script (dell latitude 5400, windows 10 20h2) we get an error
    bitlcoker could not be enabled. the bitlocker encryption key cannot be obtained. verify that the trusted platform module ios enabled and ownership has been taken (tpm is enabled) any idea? thank you in advance - binuani 3 years ago
  • Need help - how to upload these files to Kace SMA . Because I tried to link # 03 .kpkg but didn’t get any results. - amzee1 3 years ago
  • Hello Timokirch and thank you for this. I can't understand how to retrieve the recovery key. What should I put in the custom inventory rule? - kappa85 3 years ago
  • script works great however I noticed that when running again on a target that already has bitlocker enabled, it adds another recovery key for each consecutive run. I have 5 different keys showing on 1 machine for example. Is there a way to delete these additional keys and/or prevent this? would like to have the script on a schedule but on the fence if it will just keep adding recovery keys to machines that already have bitlocker on. - rscarbajal 3 years ago
  • rscarbajal, we had the same issue with multiple bitlocker keys being applied. This became an issue with Microsoft patches not installing and rolling back because of the multiple keys. It turns out the criteria logic in the device smart label needed to be grouped to correctly filter out devices that were already encrypted. Once that was fixed I created a smart label that detected devices with multiple keys and removed encryption. Once removed, the devices were rediscovered and encrypted with only one key. No problems since. - jpack1221 3 years ago
    • appreciate the response. I definitely should have read the OP's instructions fully before applying. Do you recall which values you used for the smart label you created to filter devices with multiple keys? - rscarbajal 3 years ago
      • nevermind I figured it out. For anyone else that encounters this in the future, what I did is I created a smart label with 2 lines that include "Inventory: Bitlocker Recovery - contains - KeyprotectorId" so that way the smart label filters out all endpoints that have 2 bitlocker keys or more. Then I created a powershell script with "Disable-BitLocker -MountPoint $env:SystemDrive" and pointed it to the multiple bitlocker key device label I just created. - rscarbajal 3 years ago
  • This works like a charm for the C drive but does anyone have a script to enable BitLocker on ALL Fixed drives? We have an environment of many PCs and some have multiple drives, others don't. Is there a way this can be expanded to run on all Fixed drives on a PC and include their keys in the SMA? - TruckNorris 2 years ago
    • Hi TruckNorris,
      if you have an hybrid AD environment i would suggest to have a look at KACE Cloud MDM. There you can configure bitlocker policies for all fixed drives and even portable drives. Otherwise you may edit the power-shell and CIR to cover all needed drive letters.
      BTW: Microsoft does not recommend DATA partitions for Windows 10 / 11 (see the section "Data Partition")

      https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions?view=windows-11 - Timokirch 2 years ago
      • Thank you, I presume I'd need to change it to something like this for the D drive in order to enable bitlocker and have KACE pick up the key?

        Enable-BitLocker -MountPoint "D:" -EncryptionMethod Aes256 -SkipHardwareTest
        sleep -Seconds 15
        Add-BitLockerKeyProtector -MountPoint "D:" -RecoveryPasswordProtector - TruckNorris 2 years ago
      • Hey TruckNorris,

        yes that should do the trick. Don't forget to change the CIT to read out the key of the D drive. - Timokirch 2 years ago
  • Hi timo - am I the only one which can't see the pictures? In my browser (edge) it seems like the pictures aren't found anymore. - abahelpdesk 2 years ago
    • fixed it, thanks for the info :) - Timokirch 2 years ago
  • I can't download the KITLOCKER because it says that I need to enter a valid Quest email address. I don't have one because I don't support the SMA directly, but I have access to manage some orgs. I am not a full administrator, so I don't have access to upload anything to the SMA. I can only do these things manually by entering the code. Can someone post the code for the CIR to get the bitlocker password only? I made up a CIR already but shows all the info from:

    ShellCommandTextReturn(cmd.exe /c %windir%\sysnative\manage-bde.exe -protectors -get c:)

    However, I want to simplify it so it only shows the password. - mveras1972 2 years ago
    • Hi mveras1972,
      feel free to send me an email to timo.weberskirch(at)quest.com. I will send you the files needed.

      KR
      Timo - Timokirch 2 years ago
  • Hi Timo,
    This is going to be a big help to our company.
    I have one question.
    Is there a way to get the Bitlocker Identifier? Or because we have the PC name we can assumem the recovery Key matches the unit?
    Mark J. - mjohnson007 2 years ago
  • can't download file. i put in my quest support email and won't verify - jjayko 2 years ago
  • Pictures don't work again. If information is still relevant, then it would be cool if you could fix the pictures again. - nonspecificuser37or39 1 year ago
    • Hi,
      sorry for the late reply. Timo is no longer with Quest but I copied the post and added the pictures again.
      https://www.itninja.com/blog/view/kace-sma-bitlocker-1 - sven.hain 1 year ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ