How to Enable Bitlocker
I wanted to enable bitlocker on HP & Dell via KACE, so can you provide Powershell script which will do this.
Thank you
Answers (7)
Hello,
I know someone may have better.
I use a reg key breadcrumb to know if I ran script already. This is [YYYYMMDD]-[SCRIPT_ID#]-[REVISION #] for me. This lets me pull all of my breadcrums into a Custom Inventory Field (Called that in Device Detail but called Custom Inventory Rule or CIR everywhere on Quest/ITNINJA).
[EDIT] I should add that this runs the first time where it does not detect the breadcrumb key (as that is set in remediation). In remediation it will activate BitLocker. If it succeeds to activate bl it will add the breadcrumb key. On remediate success, this will push the key to AAD. On remediate failure this will just get the status. This will make another pass (and on subsequent runs) this will detect the key and go to Verify Success where it will check status.
For some reason I used the SysNative 64-bit manage-bde...I do not remember why.
I also am pushing the keys to AAD...you could push to AD or not at all. We do not manually set BL normally as we have MDM handle it but for those machines that are having issues or that were migrated in and already encrypted....or that were unencrypted due to removal of another tool, I use this script.
Verify
- Verify that “HKLM\SOFTWARE\Kace\KBot Configuration\Uninstall0!key-BitLockerEnabled” is equal to “20220331-247-001”.
On Success
Reorder | Add…Remediation
- Log “HKLM\SOFTWARE\Kace\KBot Configuration\Uninstall0!key-BitLockerEnabled”.
- Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C echo %date:~4%-%time%”.
- Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C C:\Windows\Sysnative\manage-bde.exe -on C:”.
- Set “HKLM\SOFTWARE\Kace\KBot Configuration\Uninstall0!key-BitLockerEnabled” to “20220331-247-001”.
On Remediation Success
- Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C C:\Windows\Sysnative\manage-bde.exe -status”.
- Launch “$(KACE_SYS_DIR)\WindowsPowerShell\v1.0\powershell.exe” with params “foreach ($MountPoint in Get-BitLockerVolume | Where-Object { $_.KeyProtector -like '*RecoveryPassword*' }) {($DriveLetter = $MountPoint) ; ($BLMP = Get-BitLockerVolume -MountPoint $DriveLetter) ; ($BLMPKEY = $BLMP.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }) ; ($BitLockerKey = $BLMPKEY.KeyProtectorId) ; (BackupToAAD-BitLockerKeyProtector -MountPoint $DriveLetter -KeyProtectorId $BitLockerKey) ; (Write-Output ”Please verify Recovery keys in EndPoint Manager manually!“)}”.
On Remediation Failure
- Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C C:\Windows\Sysnative\manage-bde.exe -status”.
I also am pushing the keys to AAD
I think Kitlocker is a great start for this
https://www.itninja.com/blog/view/kace-sma-bitlocker
I used following script but it does not enable bitlocker.
Script:
Set-ExecutionPolicy RemoteSigned
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest
sleep -Seconds 15
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
Logo file
Log for Enable_BitLocker on min2 [ Show All ]
| Started: | 27/04/2022 15:40:05 |
| Finished: | 27/04/2022 15:40:06 |
| Elapsed Time: | 1 second |
| Status: | 1 |
Output Log
Running as SYSTEMLaunched Process: Bitlocker_Enable.ps1Activity Log
verify - on_verify_successverify - on_verify_failureverify - launch_programLaunching program: 'C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110\Bitlocker_Enable.ps1' 'C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110\Bitlocker_Enable.ps1' wait='false'Debug Log
Running kbot: runkbot 110 1651069700KBotScript::LogScriptInfo - Startid=110 name=Enable_BitLocker version=1651069700 type=policyexecute disconnected=false logged_off=trueexecute eventsKBotScript::LogScriptInfo - FinishKBotScript::LogScriptInfo - Startid=110 name=Enable_BitLocker version=1651069700 type=policyexecute disconnected=false logged_off=trueexecute eventsKBotScript::LogScriptInfo - FinishKBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Quest\KACE\kbots_cache\\packages\kbots\110\CleanupDependencies: file Bitlocker_Enable.ps1 is part of the dependency list, keep the filerunkbot ----- launching [path='C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110' program='Bitlocker_Enable.ps1' parms='C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110\Bitlocker_Enable.ps1' wait='false'] -----runkbot ----- completed [exitCode=0] -----
Also there is no popup window showing the drive is being encrypted.
CarstenBuscher is right, the Kitlocker is a great tool.
https://www.itninja.com/blog/view/kace-sma-bitlocker
We have an AAD environment and push the keys there...but I also store them in KACE...especially since KACE can grab secondary drives while AAD can only grab the system unless I push it there.
Comments:
Hello,
CarstenBuscher linked to it and I repeated it: https://www.itninja.com/blog/view/kace-sma-bitlocker
It is really more of a posting about setup along with links to downloads.