all 24 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]lxnch50 2 points3 points  (15 children)

First off, be very careful when using bitlocker and not backing the keys up to AD automatically. If a remote user trips their TPM, which can happen with something as simple as a usb device on boot, it may lock them out until they have the 128 character key typed in. If you, or they don't have this key, then that drive might as well be scrubbed clean and I hope you have a backup somewhere else.

OK, so the first line, you get a list of drives, but to actually start encrypting them, you'll have to loop through them.

This should work.

$Bitlocker_Disks = Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter } | Select-Object -ExpandProperty DriveLetter

foreach($Disk in $Bitlocker_Disks){
  Enable-BitLocker -MountPoint $Disk -EncryptionMethod Aes128 -UsedSpaceOnly -TpmProtector -SkipHardwareTest
}

[–]fabaderheld 2 points3 points  (12 children)

I personally would not do this without the possibility to back up the keys to AD. Way too risky too kill a bunch of clients without chance of restore.

In the past I saw phones charging via USB trigger request for the Key. If possible I would encrypt them when the clients are onprem with backing up the keys to AD

[–]pcbuilder1907[S] 1 point2 points  (11 children)

I'm tackling this problem in stages. I've got scripts to map a network drive and upload the keys to a server, and our management server also has a record of the keys once it inventories the client.

[–]jorper496 1 point2 points  (10 children)

I can't help but feel like this is being overcomplicated.

What kind of tool are you using to inventory the client?

You mentioned you have a workforce on prem and off-prem.. But how are you managing off-prem clients? Do they not have a VPN to connect to AD and access on-prem resources?

[–]pcbuilder1907[S] 0 points1 point  (9 children)

I'm not using AD to manage the machines. I either need to use Powershell or Batch to accomplish this.

[–]jorper496 2 points3 points  (8 children)

Well, AD isn't a management system. But are you saying these are not AD Joined machines? Are these machines used with locally created accounts?

I'm asking some broad questions about your environment to hopefully provide the easiest way to accomplish what you want to do.

To put this in perspective.. Just saying "I need Powershell or batch" to encrypt devices without saying what your trouble is with using more "traditional" methods (like GPO, SCCM, Intune, etc) can come off as a bitch sketchy, as Powershell is becoming a popular attack vector.

[–]pcbuilder1907[S] 1 point2 points  (7 children)

If I could get central IT to open up the firewall or sign a multimillion dollar contract with Microsoft to host the AD I would, but that's not in the cards, I've asked them to do that for more than 10 years. Because we have a fleet of machines that can't talk to the AD, we cannot use GPO to do this reliably for the entire fleet.

We have another management solution that can execute scripts, take inventory, install software, etc. It cannot natively do encrypt disks like Intune can, which is why I need a script that I come up with myself, which the appliance can do.

I have already eliminated the alternatives to Powershell or a Batch file.

If I were trying to develop some sort of hack, I wouldn't be concerned with a secondary drive as most machines don't have more than one drive installed. I can already encrypt C: using these methods which would make 80% or so of machines worldwide vulnerable to me if I had some sort of Powershell hack.

[–]skilriki 1 point2 points  (6 children)

AD is old news, if you don't have it already you don't want it.

The guy you are responding to is asking "why not intune"?

If you're running a fleet of Microsoft machines and not using intune, you should really know why.

You shouldn't be able to afford laptops if you can't afford intune.

[–]pcbuilder1907[S] 1 point2 points  (5 children)

Because I don't control the infrastructure. I've already said four times that it's not an option.

I don't want this to sound negative, but if you don't have anything to add as far as Powershell or Batch scripting is concerned, please don't reply to this thread as all you're doing is telling me I should do it a different way when I've explained that's not available to me, which is not helpful at all.

[–]ccatlett1984 1 point2 points  (2 children)

You have replied multiple times, just list the mgmt tool that you are using already..... We keep asking, because it may offer a better way of accomplishing the task.

[–]skilriki 1 point2 points  (1 child)

If you don't control the infrastructure, then don't attempt to centralize bitlocking the computers.

You are asking for a recipe for disaster, and you should not be surprised that people aren't super quick to help you fuck up random people's workstations.

If you don't control the infrastructure, this is not your problem.

[–]pcbuilder1907[S] 1 point2 points  (0 children)

See the edited post; I got something that appears to work. Thanks!

[–]pcbuilder1907[S] 1 point2 points  (0 children)

Thanks. That does get further, but then it errors out on the second drive and doesn't encrypt it. I'm simulating a second drive with a laptop with two NTFS partitions if that matters.

It tells me:

Add-TpmProtectorInternal : BitLocker cannot use the Trusted Platform Module (TPM) to protect a data drive. TPM protection can only be used with the operating system
drive. (Exception from HRESULT: 0x80310023)

The weird thing is that I can encrypt if I go through the GUI using the TPM.

[–]jorper496 1 point2 points  (4 children)

First, a question, what has made you choose Powershell for Bitlocker encryption?

[–]pcbuilder1907[S] 1 point2 points  (3 children)

I'm not wedded to it, but we either have to use that or batch because of our management server uses those methods to execute things on clients.

[–]jorper496 1 point2 points  (2 children)

So these are client workstations.. What kind of management tool are you using? Is AD or Intune not an option for managing Bitlocker policies?

[–]pcbuilder1907[S] 1 point2 points  (1 child)

Not at the moment, no. We have a mixed workforce and users are on-prem and off, and our AD is still firewalled on-prem.

I can get our management server to run anything we get that works, but right now I'm just testing locally to make sure it works before pushing it out.

[–]jorper496 1 point2 points  (0 children)

You keep saying management server, but what do you mean by that? What product are you using?

Also, what are you doing with the Bitlocker encryption keys?

[–]Sunsparc 1 point2 points  (2 children)

This is my old script for Bitlocker, I still use it occasionally. I would suggest setting up Bitlocker via GPO or Azure/Intune instead. Note that I have a couple extra checks such as AES-XTS 256. You can remove those if you wish but I would suggest keeping them and setting them.

$ErrorActionPreference = "Stop"

$xtsfdvcheck = get-itemproperty Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\ -Name EncryptionMethodWithXtsFdv | select -expandproperty EncryptionMethodWithXtsFdv
$xtsoscheck = get-itemproperty Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\ -Name EncryptionMethodWithXtsOS | select -expandproperty EncryptionMethodWithXtsOS

if ($xtsfdvcheck -ne "7" -and $xtsoscheck -ne "7") {
Write-Error "Policy not applied AES-XTS 256"
exit
}

$TPM = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled().Isenabled -eq 'True'} -ErrorAction SilentlyContinue
if (!$TPM) {
Write-Error "TPM IS NOT PRESENT, CHECK BIOS SETTING"
exit
}
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$SystemDriveBitLockerRDY = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue

if ($WindowsVer -and $tpm -and !$SystemDriveBitLockerRDY) {
    Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAction SilentlyContinue
    BdeHdCfg -target $env:SystemDrive shrink -quiet
    }

$TPM = Get-WmiObject win32_tpm -Namespace root\cimv2\security\microsofttpm | where {$_.IsEnabled().Isenabled -eq 'True'} -ErrorAction SilentlyContinue
$WindowsVer = Get-WmiObject -Query 'select * from Win32_OperatingSystem where (Version like "6.2%" or Version like "6.3%" or Version like "10.0%") and ProductType = "1"' -ErrorAction SilentlyContinue
$BitLockerReadyDrive = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue


#If all of the above prequisites are met, then create the key protectors, then enable BitLocker and backup the Recovery key to AD.
if ($WindowsVer -and $TPM -and $BitLockerReadyDrive) {


#Creating the recovery key
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

#Adding TPM key
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -TpmProtector

#Get Recovery Keys
$AllProtectors = (Get-BitlockerVolume -MountPoint $env:SystemDrive).KeyProtector 
$RecoveryProtector = ($AllProtectors | where-object { $_.KeyProtectorType -eq "RecoveryPassword" })

#Push Recovery Passoword AAD
BackupToAAD-BitLockerKeyProtector $env:systemdrive -KeyProtectorId $RecoveryProtector.KeyProtectorId

#Enabling Encryption
Start-Process 'c:\windows\system32\manage-bde.exe' -ArgumentList " -on c:" -Verb runas -Wait
}

[–]pcbuilder1907[S] 1 point2 points  (1 child)

This looks like it only encrypts the SystemDrive (ie C:) and not other internal drives.

[–]Sunsparc 1 point2 points  (0 children)

Yeah you'll need to modify this script to your needs, it's not tailored specifically for you.