/build/static/layout/Breadcrumb_cap_w.png

How to Enable Bitlocker

I wanted to enable bitlocker on HP & Dell via KACE, so can you provide Powershell script which will do this.

Thank you


0 Comments   [ + ] Show comments

Answers (7)

Posted by: frank.clark@magaero.com 2 years ago
Senior White Belt
0

Hello,

I know someone may have better.

I use a reg key breadcrumb to know if I ran script already. This is [YYYYMMDD]-[SCRIPT_ID#]-[REVISION #] for me. This lets me pull all of my breadcrums into a Custom Inventory Field (Called that in Device Detail but called Custom Inventory Rule or CIR everywhere on Quest/ITNINJA).

[EDIT] I should add that this runs the first time where it does not detect the breadcrumb key (as that is set in remediation). In remediation it will activate BitLocker. If it succeeds to activate bl it will add the breadcrumb key. On remediate success, this will push the key to AAD. On remediate failure this will just get the status. This will make another pass (and on subsequent runs) this will detect the key and go to Verify Success where it will check status.

For some reason I used the SysNative 64-bit manage-bde...I do not remember why.

I also am pushing the keys to AAD...you could push to AD or not at all. We do not manually set BL normally as we have MDM handle it but for those machines that are having issues or that were migrated in and already encrypted....or that were unencrypted due to removal of another tool, I use this script.

Verify

  1. Verify that “HKLM\SOFTWARE\Kace\KBot Configuration\Uninstall0!key-BitLockerEnabled” is equal to “20220331-247-001”.trashcan-icon.png
Reorder | Add…

On Success

  1. Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C C:\Windows\Sysnative\manage-bde.exe -status”.trashcan-icon.png
Reorder | Add…

Remediation

  1. Log “HKLM\SOFTWARE\Kace\KBot Configuration\Uninstall0!key-BitLockerEnabled”.trashcan-icon.png
  2. Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C echo %date:~4%-%time%”.trashcan-icon.png
  3. Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C C:\Windows\Sysnative\manage-bde.exe -on C:”.trashcan-icon.png
  4. Set “HKLM\SOFTWARE\Kace\KBot Configuration\Uninstall0!key-BitLockerEnabled” to “20220331-247-001”.trashcan-icon.png
Reorder | Add…

On Remediation Success

  1. Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C C:\Windows\Sysnative\manage-bde.exe -status”.trashcan-icon.png
  2. Launch “$(KACE_SYS_DIR)\WindowsPowerShell\v1.0\powershell.exe” with params “foreach ($MountPoint in Get-BitLockerVolume | Where-Object { $_.KeyProtector -like '*RecoveryPassword*' }) {($DriveLetter = $MountPoint) ; ($BLMP = Get-BitLockerVolume -MountPoint $DriveLetter) ; ($BLMPKEY = $BLMP.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }) ; ($BitLockerKey = $BLMPKEY.KeyProtectorId) ; (BackupToAAD-BitLockerKeyProtector -MountPoint $DriveLetter -KeyProtectorId $BitLockerKey) ; (Write-Output ”Please verify Recovery keys in EndPoint Manager manually!“)}”.trashcan-icon.png
Reorder | Add…

On Remediation Failure

  1. Launch “$(KACE_SYS_DIR)\cmd.exe” with params “/C C:\Windows\Sysnative\manage-bde.exe -status”.

I also am pushing the keys to AAD 



Posted by: CarstenBuscher 2 years ago
Senior Purple Belt
0

I think Kitlocker is a great start for this


https://www.itninja.com/blog/view/kace-sma-bitlocker

Posted by: Hitesh Mistry 2 years ago
White Belt
0

I used following script but it does not enable bitlocker.

Script:

Set-ExecutionPolicy RemoteSigned

Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest

sleep -Seconds 15

Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector

Logo file

Log for Enable_BitLocker on min2 Show All ]

Started:27/04/2022 15:40:05
Finished:27/04/2022 15:40:06
Elapsed Time:1 second
Status:1

Output Log

Running as SYSTEMLaunched Process: Bitlocker_Enable.ps1

Activity Log

verify - on_verify_successverify - on_verify_failureverify - launch_programLaunching program: 'C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110\Bitlocker_Enable.ps1' 'C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110\Bitlocker_Enable.ps1' wait='false'

Debug Log

Running kbot: runkbot 110 1651069700KBotScript::LogScriptInfo - Startid=110 name=Enable_BitLocker version=1651069700 type=policyexecute disconnected=false logged_off=trueexecute eventsKBotScript::LogScriptInfo - FinishKBotScript::LogScriptInfo - Startid=110 name=Enable_BitLocker version=1651069700 type=policyexecute disconnected=false logged_off=trueexecute eventsKBotScript::LogScriptInfo - FinishKBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Quest\KACE\kbots_cache\\packages\kbots\110\CleanupDependencies: file Bitlocker_Enable.ps1 is part of the dependency list, keep the filerunkbot ----- launching [path='C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110' program='Bitlocker_Enable.ps1' parms='C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\110\Bitlocker_Enable.ps1' wait='false'] -----runkbot ----- completed [exitCode=0] -----
Posted by: Hitesh Mistry 2 years ago
White Belt
0

Also there is no popup window showing the drive is being encrypted.

Posted by: frank.clark@magaero.com 2 years ago
Senior White Belt
0

CarstenBuscher is right, the Kitlocker is a great tool.

https://www.itninja.com/blog/view/kace-sma-bitlocker

We have an AAD environment and push the keys there...but I also store them in KACE...especially since KACE can grab secondary drives while AAD can only grab the system unless I push it there.



Comments:
  • Do you mind sharing how you do both push the keys to AAD and KACE?

    Thank you - BarnOwl 1 year ago
Posted by: Hitesh Mistry 2 years ago
White Belt
0

Can you let me know where I can download Kitlocker tool from.

Posted by: frank.clark@magaero.com 2 years ago
Senior White Belt
0

Hello,

CarstenBuscher linked to it and I repeated it: https://www.itninja.com/blog/view/kace-sma-bitlocker

It is really more of a posting about setup along with links to downloads.

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ