Windows 10 bitlocker featured 1 696x367

Enable Bitlocker

Enable bitlocker and save the key

Description

2 agent procedures to check if Bitlocker can be enabled, check hard drive configuration and perform the necessary turn it on and capture the status and recovery password to custom fields

Developer
  • Name: Paul Fuggles
  • Company: Tearfund
  • Website: http://www.tearfund.org
  • Contact Developer
  • Summary
  • Enable Bitlocker
  • 241 Downloads
  • Released on May 15th, 2018
  • Reviews
    Gravatar for Patrick McLaughlin
    by Patrick McLaughlin on January 23rd, 2019

    There's a missing line in the get bictlocker status and recovery password script. In the top else block under the bottom most writeProcedureLogEntry you should add updateSystemInfo("Bitlocker Status", "#global:cmdresults#", ... Also, at the bottom of the script i added an If , else so that it would not fill the custom field with "ERROR" if the computer didn't have bitlocker enabled. If checkVar("global:cmdresults#") Does not contain "ERROR" updateSystemInfo("bitlocker recovery key", "#global:cmdresults#" ... else updateSystemInfo("bitlocker recovery key", " "....

    Gravatar for Jesse Donk
    by Jesse Donk on August 23rd, 2018

    great script, its gonna save our servicedesk alot of time! tnx! a small addition i made, because sometimes the key saver saves the TPM state instead of the recoverykey. i changed: Manage-bde -protectors -get c: | Out-File "#AgentWorkingDirectoryPath#\BitlockerProtectors.txt" to: Manage-bde -protectors -get -type recoverypassword c: | Out-File "#AgentWorkingDirectoryPath#\BitlockerProtectors.txt" This way, only the recoverykey is shown, and its ensured that that is what you save to Kaseya.

    Discussion
    Gravatar for Russ Stewart
    Russ Stewart 10 months ago

    I will test shortly but I've been wanting this. Thanks to Kaseya for helping everyone with the leg work.

    Gravatar for Jonathan Weaver
    Jonathan Weaver 10 months ago

    Russ - I am in the middle of deployment to approximately 50 machines - things are going smoothly with this script.

    Gravatar for matthew jordan
    matthew jordan 6 months ago

    Hi Russ,  I seem to get an output of 0, on some machines (even though the script does enable Bitlocker.   Have you ever see that?

    Gravatar for Phil Case
    Phil Case 6 months ago

    I've seen this. I think it's because the format of the output can change so the steps which scan the output for the key string pick up the wrong line.

    I haven't had time to look into modifying the script and we don't use it on large numbers of clients so I've taken to connecting to the client through Liveconnect, and running the command line to pick up the key.

    c:\> manage-bde -protectors -get c:

    BitLocker Drive Encryption: Configuration Tool version 10.0.17134
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume C: [Windows]
    All Key Protectors

        Numerical Password:
          ID: {46545517-3597-4FBA-BF5C-xxxxxxxxxxxxxxxx}
          Password:
            440869-524645-375749-109890-574409-712613-513139-xxxxxx

        TPM:
          ID: {9217F44E-5592-4B43-86A3-FCAxxxxxxxxxxx}
          PCR Validation Profile:
            7, 11
            (Uses Secure Boot for integrity validation)

    Hope that helps or gives you a pointer

    Gravatar for matthew jordan
    matthew jordan 6 months ago

    Awesome many thanks.

    Gravatar for John Rutkowski
    John Rutkowski 6 months ago

    I'm getting a "The" in the Bitlocker Recovery Key field. This turns out to be a machine that TPM is not enabled on, hence it can't run Bitlocker. So some other logic needs to be added.

    The two files it created are 

    BITLOCKERSTATUS.TXT

    BitLocker Drive Encryption: Configuration Tool version 10.0.15063

    Copyright (C) 2013 Microsoft Corporation. All rights reserved.


    ERROR: The volume C: could not be opened by BitLocker.

    This may be because the volume does not exist, or because it is not a valid

    BitLocker volume.

    BitlockerProtectors.TXT
    BitLocker Drive Encryption: Configuration Tool version 10.0.15063
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    ERROR: An error occurred (code 0x80070057):
    The parameter is incorrect.

    Gravatar for Rod Wittig
    Rod Wittig 5 months ago

    Has anyone figured out how to resolve the issue with the manage-bde -protectors -get c: output being different from machine to machine with this script?  I have machines reporting the Numerical Password first and then the TPM.  The result of this script is that on those machines I usually end up with either (Uses or a single number.


    Gravatar for Daniel Voller
    Daniel Voller 5 months ago

    I haven't but I added an extra line to the script that grabs the text file it writes the output to and uploads to the vsa. Can then refer to it via the procedures get file section.

    Gravatar for Jesse Donk
    Jesse Donk 5 months ago

    i changed: Manage-bde -protectors -get c: | Out-File "#AgentWorkingDirectoryPath#\BitlockerProtectors.txt" to: Manage-bde -protectors -get -type recoverypassword c: | Out-File "#AgentWorkingDirectoryPath#\BitlockerProtectors.txt" This way, only the recoverykey is shown, and its ensured that that is what you save to Kaseya.

    Gravatar for Rob van der Meijden
    Rob van der Meijden 2 months ago

    On 1 PC it works fine but on an other pc the procedure is not working and retry every 35 minutes. In the bitlocker status field I get the error "Hard drive is not configured".

    In the agent procedure log I fount the error. "response from BDEHDCFG (enable): BitLocker Drive Preparation Tool version 10.0.17763 Copyright (C) 2013 Microsoft Corporation. All rights reserved. BitLocker Drive Preparation Tool version 10.0.17763 Copyright (C) 2013 Microsoft Corporation. All rights reserved. The minimum size for the new partition is 1085 megabytes. Please specify a size of at least 1085. Example: -size 1085". The PC has only got 1 partition.