07/28/2020 added a new custom inventory rule (03a_CI_BITLOCKER_PASSWORD.kpkg) to the download package. This reports only the recovery password which will bring you more joy of creating a report or searching for the value.
05/20/2020 moved the compatibility matrix to the bottom & tested Win 10 2004.
04/25/2019 added a compatibility matrix.
03/29/2019 added some modifications. Thanks to Andrew Lubchansky for helping me creating this.
Feel free to check your support status of Windows 10 with this report: https://www.itninja.com/blog/view/kace-sma-windows-10-end-of-life-report
Hi all,
It’s a long time since I have posted a blog here. Today I want to share with you my KITLOCKER (KACE & Bitlocker ;) ) stuff. In this article i will mention different import-packages. You can download all of them here: DOWNLOAD
If you need assistance in importing these files to your KACE SMA feel free to contact your local partner, your local sales rep or have a look to this KB article: https://support.quest.com/kace-systems-management-appliance/kb/116949/how-to-import-and-export-resources
First: These scripts are Win10 only and tested with x64 1809 Pro and Ent. Also, you need to have an TPM Module in your devices which needs to be activated and the OS needs to be the owner (default in Win10)! You can double check this in your KACE SMA device inventory:
My scenario is that Win10 devices should use Bitlocker with Aes256 bit to secure the hard disk. The disk should be automatically unlocked by TPM during boot (no password needed). If something went wrong or the hardware has changed there should be a recovery key which can be entered. This key should be stored in KACE SMA and not in AD. Also, there should be no GPO involved.
The Bitlocker information in your device inventory should look like this if there is currently nothing set up on your device:
To start we
should first import a smart label which groups all devices where a TPM module
is ready for the use with Bitlocker and no encryption technology is used.
TPM Based Bitlocker Ready
Of course, you could add a filter like “OS Name” contains “Windows 10” (or any
other filter which matches your environment) to make sure that only your
clients will get Bitlocker enabled.
KACE SMA will now put all the devices where we can enable Bitlocker into this Label. There is a simple PowerShell command which will enable Bitlocker and start the encryption. Also it will add a recovery password as a key protector which will be needed in case of hardware changes. You can run this by a daily schedule and all devices which already have Bitlocker enabled will not be affected if you use the “TPM Based Bitlocker Ready” smart label which I have shown above as a target for the script..
[TW] Bitlocker enable TPM & Password
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest sleep -Seconds 15 Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector
This will start the encryption process of the C: drive. The user can’t abort it and it will also survive reboots.
You can also check the actual state in your KACE SMA device inventory:
If the encryption has been completed by the device, it will automatically fall out of the “TPM Based Bitlocker Ready” smart label. Now we have a secured hard disk which will be automatically unlocked during the bootup by the TPM module. Now we need a custom inventory to store all the key protector information’s in our SMA device inventory. This can be done with a simple custom inventory rule.
Inventory: Bitlocker Recovery
A simpler which is perfect for reporting:
If you want to be sure that clients will always have a recovery password as a key protector you can additionally create a smart label. This will check the right key protectors after every inventory of the device. This could be used for running a script which will then add a recovery password as a key protector. This could be useful if admins change configurations local on the endpoints
Bitlocker missing Protector
All clients which fall into this label can then run the following KACE script on a daily schedule.
[TW] Bitlocker add protector
Add-BitLockerKeyProtector ...
This is the basic setup you can use to manage your hard disk encryption for your endpoints. You can think about creating notification which will alert you if a device has Bitlocker missing or a wrong configuration. I hope that this article helps you, creating your own KITLOCKER strategy. If there is anything unclear feel free to use the comment section.
Kind Regards
Timo
OS Common Name | Build Version | Compatible |
1507 (RTM) Pro & Ent | 10240 | No |
1511 Pro & Ent | 10586 | No |
1607 Pro & Ent | 14393 | No |
1703 Pro & Ent | 15063 | No |
1709 Pro & Ent | 16299 | Yes |
1803 Pro & Ent | 17134 | Yes |
1809 Pro & Ent | 17763 | Yes |
1903 Pro & Ent | 18362 | Yes |
1909 Pro & Ent | 18363 | Yes |
2004 Pro & Ent | 19041 | Yes |
EDIT: NVM, I was using DDPE Protection Status, as it populates first when you type in the label search box, so disregard my comment.
EDIT2: Had to specify full path for the powershell add protector command w/ "sysnative" to get it to work for me.
Good job! - RD94 5 years ago
thanks you very much for your feedback!
Kind Regards
Timo - Timokirch 5 years ago
function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\526\bitlocker_enable.ps1:1 char:1
+ Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes25 ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Enable-BitLocker:String) [], CommandNotFoundExcept
ion
+ FullyQualifiedErrorId : CommandNotFoundException
Add-BitLockerKeyProtector : The term 'Add-BitLockerKeyProtector' is not recognized as the name of
a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\526\bitlocker_enable.ps1:3 char:1
+ Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPassw ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Add-BitLockerKeyProtector:String) [], CommandNotFo
undException
+ FullyQualifiedErrorId : CommandNotFoundException
Launched Process: powershell.exe - jpack1221 5 years ago
thanks for your reply and your intrest in the Kitlocker scripts. Which OS is running on your 8 production laptops and which powershell version are they using?
Thanks and kind regards
Timo - Timokirch 5 years ago
Is the buildversion of windows10 different then from your test units? Or are any execution policies in place? A general blocker could be the AV agent. The KACE agent directories (programdata and program files) should be generally excluded. - Timokirch 5 years ago
i have tested the script with 1809 (17763) and already with 1903. I will run a test with 1607 (14393) tomorrow. Are you using LTSB? If not you should migrate to a newer build since 1607 pro is out of support since April 10, 2018. LTSB is still fine :)
Kind regards
Timo - Timokirch 5 years ago
i reinstalled my lab multiple times this morning. I can tell you that the script is not working until 1709 (16299). Beginning with 1709 Pro & Ent the script is doing what it should. Also 1903 is compatible with the script. There is a simple report which shows you which builds you are using in your environment and how long they have support. I will update the report on a regular base.
https://www.itninja.com/blog/view/kace-sma-windows-10-end-of-life-report
Kind Regards
Timo - Timokirch 5 years ago
First off, Thank you for this write up! This is a great way to use KACE.
Im currently looking at encryption options for the company I work for. I have recently learned that MS auto enables Encryption when certain configurations are met.
(see this article: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker)
I would like to create a smart label to see if any devices have been encrypted with bitlocker that have met these conditions. Im using the following smart label lines.
Encryption Technology Contains Bitlocker
and
Encryption Enable = True
*Ive also tried Drive protected is True
From what ive found on a device that had been auto enabled is that Bitlocker will still show off in control panel, but when you run a PS command of Get-BitlockerVolume, it will show 100% encrypted.
How would you set up the smart label to find these devices?
Thank you. - JonPillon 5 years ago
drive.
Thanks! - anonymous_116816 5 years ago
sorry for the delayed answer but it seems that you need to modify the scripts in your configuration. I have build this scenario for users who do not have put any policies regarding BL in place. The advantage of storing the key in SMA is that you can even enable BL for devices which are not currently connected to you ad and you have reporting and search options :)
Kind Regards - Timokirch 5 years ago
BTW, this is great content. I am working on doing this, but I am going to have AD also store the info. Adds some complexity, but gives me some redundancy as well. - brummel 4 years ago
Kind Regards
Timo - Timokirch 4 years ago
Is there a script I can use to capture machines that already bitlocker encrypted? - sam240 4 years ago
If you are just looking to list out all computers in your Inventory that are encrypted, you can do an Advanced Search under Inventory > Devices using filters such as:
Encryption Technology = Bitlocker
Encryption Enabled is True
System Volume is True
Encryption Percentage = 100 - nick.wood 4 years ago
Need help please trying to get the recovery key for encrypted devices on Kace. I create CI AND linked the .kpkg in SMA BUT BUT WAS NOT SUCCESSFUL and got no result.
Thanks in advance! - amzee1 3 years ago
Thank you! - Kevin296 4 years ago
Same for the smart label. - Nico_K 4 years ago
bitlcoker could not be enabled. the bitlocker encryption key cannot be obtained. verify that the trusted platform module ios enabled and ownership has been taken (tpm is enabled) any idea? thank you in advance - binuani 3 years ago
if you have an hybrid AD environment i would suggest to have a look at KACE Cloud MDM. There you can configure bitlocker policies for all fixed drives and even portable drives. Otherwise you may edit the power-shell and CIR to cover all needed drive letters.
BTW: Microsoft does not recommend DATA partitions for Windows 10 / 11 (see the section "Data Partition")
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions?view=windows-11 - Timokirch 2 years ago
Enable-BitLocker -MountPoint "D:" -EncryptionMethod Aes256 -SkipHardwareTest
sleep -Seconds 15
Add-BitLockerKeyProtector -MountPoint "D:" -RecoveryPasswordProtector - TruckNorris 2 years ago
yes that should do the trick. Don't forget to change the CIT to read out the key of the D drive. - Timokirch 2 years ago
ShellCommandTextReturn(cmd.exe /c %windir%\sysnative\manage-bde.exe -protectors -get c:)
However, I want to simplify it so it only shows the password. - mveras1972 2 years ago
feel free to send me an email to timo.weberskirch(at)quest.com. I will send you the files needed.
KR
Timo - Timokirch 2 years ago
This is going to be a big help to our company.
I have one question.
Is there a way to get the Bitlocker Identifier? Or because we have the PC name we can assumem the recovery Key matches the unit?
Mark J. - mjohnson007 2 years ago
sorry for the late reply. Timo is no longer with Quest but I copied the post and added the pictures again.
https://www.itninja.com/blog/view/kace-sma-bitlocker-1 - sven.hain 1 year ago