07/21/2023 I copied this blogpost from my good friend Timo, he left Quest so I will update this report in the future :) Original post here.
07/28/2020 added a new custom inventory rule (03a_CI_BITLOCKER_PASSWORD.kpkg) to the download package. This reports only the recovery password which will bring you more joy of creating a report or searching for the value.
05/20/2020 moved the compatibility matrix to the bottom & tested Win 10 2004.
04/25/2019 added a compatibility matrix.
03/29/2019 added some modifications. Thanks to Andrew Lubchansky for helping me creating this.
Feel free to check your support status of Windows 10 with this report: Article: KACE SMA - Windows End of Support Report (itninja.com)
Hi all,
It’s a long time since I have posted a blog here. Today I want to share with you my KITLOCKER (KACE & Bitlocker ;) ) stuff. In this article i will mention different import-packages. You can download all of them here: DOWNLOAD
If you need assistance in importing these files to your KACE SMA feel free to contact your local partner, your local sales rep or have a look to this KB article: https://support.quest.com/kace-systems-management-appliance/kb/116949/how-to-import-and-export-resources
First: These scripts are Win10 only and tested with x64 1809 Pro and Ent. Also, you need to have an TPM Module in your devices which needs to be activated and the OS needs to be the owner (default in Win10)! You can double check this in your KACE SMA device inventory:
My scenario is that Win10 devices should use Bitlocker with Aes256 bit to secure the hard disk. The disk should be automatically unlocked by TPM during boot (no password needed). If something went wrong or the hardware has changed there should be a recovery key which can be entered. This key should be stored in KACE SMA and not in AD. Also, there should be no GPO involved.
The Bitlocker information in your device inventory should look like this if there is currently nothing set up on your device:
To start we should first import a smart label which groups all devices where a TPM module is ready for the use with Bitlocker and no encryption technology is used.
TPM Based Bitlocker Ready
Of course, you could add a filter like “OS Name” contains “Windows 10” (or any other filter which matches your environment) to make sure that only your clients will get Bitlocker enabled.
KACE SMA will now put all the devices where we can enable Bitlocker into this Label. There is a simple PowerShell command which will enable Bitlocker and start the encryption. Also it will add a recovery password as a key protector which will be needed in case of hardware changes. You can run this by a daily schedule and all devices which already have Bitlocker enabled will not be affected if you use the “TPM Based Bitlocker Ready” smart label which I have shown above as a target for the script..
[TW] Bitlocker enable TPM & Password
Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest sleep -Seconds 15 Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtectorThis will start the encryption process of the C: drive. The user can’t abort it and it will also survive reboots.
You can also check the actual state in your KACE SMA device inventory:
If the encryption has been completed by the device, it will automatically fall out of the “TPM Based Bitlocker Ready” smart label. Now we have a secured hard disk which will be automatically unlocked during the bootup by the TPM module. Now we need a custom inventory to store all the key protector information’s in our SMA device inventory. This can be done with a simple custom inventory rule.
Inventory: Bitlocker Recovery
A simpler which is perfect for reporting:
Good to know is that devices which need the recovery key will display a screen where users can see the ID of the numerical password. If they call your helpdesk team and don’t know which computer it is they can give you the ID and you can search for it in your KACE SMA device inventory or build a report for that.
If you want to be sure that clients will always have a recovery password as a key protector you can additionally create a smart label. This will check the right key protectors after every inventory of the device. This could be used for running a script which will then add a recovery password as a key protector. This could be useful if admins change configurations local on the endpoints
Bitlocker missing Protector
All clients which fall into this label can then run the following KACE script on a daily schedule.
[TW] Bitlocker add protector
This is the basic setup you can use to manage your hard disk encryption for your endpoints. You can think about creating notification which will alert you if a device has Bitlocker missing or a wrong configuration. I hope that this article helps you, creating your own KITLOCKER strategy. If there is anything unclear feel free to use the comment section.
Kind Regards
Timo
OS Common Name | Build Version | Compatible |
1507 (RTM) Pro & Ent | 10240 | No |
1511 Pro & Ent | 10586 | No |
1607 Pro & Ent | 14393 | No |
1703 Pro & Ent | 15063 | No |
1709 Pro & Ent | 16299 | Yes |
1803 Pro & Ent | 17134 | Yes |
1809 Pro & Ent | 17763 | Yes |
1903 Pro & Ent | 18362 | Yes |
1909 Pro & Ent | 18363 | Yes |
2004 Pro & Ent | 19041 | Yes |
Usually on newer systems, TPM is always enabled. You can also see it in your SMA inventory under the hardware area if TPM is enabled or not. If you have Dell, HP or Lenovo hardware they also offer tools to mass deploy BIOS settings to devices. For example: Dell offers the Dell Command Configure Tool where you can set certain Bios settings and get an EXE at the end. This EXE can be run via KScript to deploy the needed BIOS settings to all devices. A possible command line would be as following:
Create a KScript and choose only Windows OS.
Add the BIOS EXE that you created with Command Configure to the dependencies.
Add a task and under success add a step "Launch a program"
As directory use $(KACE_DEPENDENCY_DIR)
as file the filename of your EXE for example: Precision.exe
as parameter use /S
This is a basic example and would require some verification at the beginning to make sure that it does not run all the time.
More information can be found here https://www.dell.com/support/manuals/en-au/dell-command-configure-v3.2/dcc_ug_3.2/creating-a-bios-package-using-the-gui?guid=guid-23966051-e36c-4739-8857-93cf0da64b74&lang=en-us
Hope that helps.
Cheers Sven - sven.hain 6 months ago