none
BitLocker Deployment via GPO and Powershell Script RRS feed

  • Question

  • I am new to this, but have been tasked to deploy BitLocker remotely\automated, via GPO and Powershell.

    I have a mixed environment of both UEFI and Legacy Laptops, thus, my test environment is setup the same.  With that, I have a policy for using TPM, and another for not utilizing TPM, but to just use passwords.  I have setup two GPO's, as well as two different Powershell commands to Enable Bitlocker. 

    I had both Poweshell scripts working.  However, I soon realized that I didn't have something in the script that was creating a Recovery Key\Passwords and exporting them into AD.  (I have this setup to be allowed within my GPO).

    When I attempt to add the syntax to do this, I receive errors, so I am trying to figure out what I'm doing wrong.

    Please see the powershell syntax below, and the output from it.  Any info on what I'm doing wrong would be appreciated.  If you need any info on the GPO's, I can provide that as well.

    For the TPM workstations:

    This script works...

    $SecureString = ConvertTo-SecureString "12345678" -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Pin $SecureString -TPMandPinProtector

    This script fails...

    $SecureString = ConvertTo-SecureString "12345678" -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -RecoveryKeyPath "\\testdc\Bitlocker Keys" -RecoveryKeyProtector -Pin $SecureString -TPMandPinProtector

    Failed Script Output...

    Enable-BitLocker : Parameter set cannot be resolved using the specified named parameters.
    At C:\Users\administrator.PDCTEST\Desktop\EnableBitlocker-TPM-PIN2.ps1:2 char:1
    + Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -RecoveryK ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Enable-BitLocker], ParameterBindingException
        + FullyQualifiedErrorId : AmbiguousParameterSet,Enable-BitLocker

    Disclaimer that I'm new to BitLocker and still trying to better understand some of the settings, such as the difference between -RecoveryKey vs. RecoveryPassword.

    Again, any help would be much appreciated.

    Thanks.

    Thursday, November 21, 2019 4:29 PM

Answers

  • So, I found this article and was able to use the script within it, (answered by jphughan, much props :) )

    https://social.technet.microsoft.com/Forums/en-US/656b5803-2f76-4957-afd1-63c7759e86fb/backupbitlockerkeyprotector-doesnt-return-any-error-even-if-it-fails?forum=mdopmbam

    That works perfectly for my TPM deployments. I now need to figure out how to tweak this to accommodate my Non-TPM deployments, where I would configure the commands to create a -password and save it to AD as well.

    I'm going to keep looking, but any insight would be fantastic.

    Thanks.

    • Marked as answer by timahh2 Friday, November 22, 2019 3:59 PM
    Thursday, November 21, 2019 7:07 PM
  • $pass = ConvertTo-SecureString "PDCArea1928" -AsPlainText -Force

    Add-BitLockerKeyProtector -MountPoint "C:" -Password $pass -passwordprotector

    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -RecoveryPasswordProtector -skiphardwaretest -usedspaceonly

    That will work (does here). Set this as well and see that this GPO is applied before running the command:

    • Edited by Ronald Schilf Friday, November 22, 2019 3:06 PM
    • Marked as answer by timahh2 Friday, November 22, 2019 3:59 PM
    Friday, November 22, 2019 3:04 PM
  • Don't use a logon script but a startup script or an immediate scheduled task that runs as system account. Logon scripts run as user and will not have the required privileges.

    You could save the 2 code blocks as two scripts (tpm.ps1 and no_tpm.ps1) and call them in a batch like this:

    wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue |findstr TRUE && goto next
    
    powershell \\server\share\no_tpm.ps1
    
    goto end
    
    :next
    
    powershell \\server\share\tpm.ps1


    • Marked as answer by timahh2 Thursday, December 5, 2019 9:35 PM
    Thursday, December 5, 2019 9:16 AM
  • No, not normal. You need to verify the administrative templates of your server, they must be outdated. The only possible explanation for having outdated templates on server 2019 is that you use a central store and within that central store, you have placed templates for server 2008 R2.

    • Marked as answer by timahh2 Thursday, December 12, 2019 7:53 PM
    Wednesday, December 11, 2019 7:30 AM
  • I figured it out. Their instructions reference creating the PolicyDefinitions-1809 directory. Since that didn't work, what I tried was to rename the original PolicyDefinitions to PolicyDefinitionsOLD, and then renamed PolicyDefinitions-1809 to PolicyDefinitions.  I refreshed my GP Management console and voila.

    Thanks for the assistance.

    • Marked as answer by timahh2 Thursday, December 12, 2019 7:55 PM
    Thursday, December 12, 2019 7:55 PM

All replies

  • See this guidance for bitlocker deployment without MBAM. It includes a script that encrypts: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html
    • Edited by Bagitman Thursday, November 21, 2019 5:37 PM
    Thursday, November 21, 2019 5:36 PM
  • So, I found this article and was able to use the script within it, (answered by jphughan, much props :) )

    https://social.technet.microsoft.com/Forums/en-US/656b5803-2f76-4957-afd1-63c7759e86fb/backupbitlockerkeyprotector-doesnt-return-any-error-even-if-it-fails?forum=mdopmbam

    That works perfectly for my TPM deployments. I now need to figure out how to tweak this to accommodate my Non-TPM deployments, where I would configure the commands to create a -password and save it to AD as well.

    I'm going to keep looking, but any insight would be fantastic.

    Thanks.

    • Marked as answer by timahh2 Friday, November 22, 2019 3:59 PM
    Thursday, November 21, 2019 7:07 PM
  • Honestly, don't use systems without a TPM.

    If you fear that the users might want to extend their privileges from restricted user to admin, be informed that they can do it in minutes if you let them have a password instead of TPM+PIN.

    So unless you fully trust your users, better abandon that idea.

    Thursday, November 21, 2019 8:04 PM
  • Unfortunately we are not in a position to rebuild or convert our legacy boot machines.  Additionally, I have tested this and regular users do not have elevated permissions to be able to change the encryption password, plus, on top of that, I have it restricted within my GPO. 

    Unless I'm missing something, I have tested this in my test environment and the system does not allow it.

    Thursday, November 21, 2019 8:25 PM
  • Just to provide the current status, I have the TPM script working perfectly.

    I have a script that "works" for the Non-TPM\Legacy machines.  However, I need to amend it to save a Recovery Key to AD, but I cannot get the syntax correct.

    Here's what works, (without saving a Recovery Key to AD):

    $pass = ConvertTo-SecureString "MyPassword123" -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Password $pass -PasswordProtector

    This command will encrypt the drive on reboot, but is not creating a Recovery Key in AD.

    I then force this issue within the GPO "Choose how BitLocker protected operating drives can be recovered", where I check the box, "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".

    I know that GPO is working when I run the script above because it then gives me the error output of, "Group Policy settings require that a recovery password be specified before encrypting the drive".

    So, I need to get syntax into the script for creating a recovery key, and saving it to AD, (The latter of which I have also defined within GPO object "Choose default folder for recovery password".

    What am I missing?

    Thursday, November 21, 2019 8:56 PM
  • Yes, you are missing the point. Give me the BL password and I'll turn my account into an admin in 5 minutes, I promise. So in case security matters, get rid of non-TPM machines.

    Edit/Addition: It's irrelevant what your GPos enforce and of course it doesn't matter if the user may change the bitlocker password or not. He may decrypt using that password. He may not decrypt using the PIN.

    Thursday, November 21, 2019 9:02 PM
  • Getting rid of the Non-TPM workstations is not currently on the table, so I have to make the best of it for now.

    Just to enlighten me, if, hypothetically, you're not an admin on a workstation, how would you turn your account into an admin in 5 minutes?

    Just because I'm new to BitLocker does not mean I'm new to I.T. administration, and I'm unaware of how this can be accomplished, so I'd love to learn something new on how this can be done.

    Thanks.

    Thursday, November 21, 2019 9:27 PM
  • One thing worth noting here.

    With the drive fully encrypted with on a Non-TPM workstation, I just went through a second test of this where I logged in with a standard user account.  All 4 of the options within BitLocker Drive Encryption, "Suspend Protection", "Change Password", "Remove Password", and "Turn off BitLocker", ask me to provide administrative credentials when I select any of them.

    With that, since it's been established that I'm missing the point, in addition to that, what am I missing here to allow me to obtain admin level permissions for a standard user?

    Thursday, November 21, 2019 9:48 PM
  • How you do it: you boot windows setup, press shift F10 when at the language selection prompt and you'll have a command line at hand. Privileges/users don't matter here, windows is not even running.

    Now you mount the drive using manage-bde -unlock c: -pw

    (supply password here). That's it, the drive is at your disposal. You may edit the registry to enable the local administrator account with a blank password, if you like. Just reboot windows and logon as local admin, if you like. Or decrypt the drive there right away using manage-bde -off c:

    Thursday, November 21, 2019 10:00 PM
  • Hi, 

    If any reply is useful for you, please kindly mark it as answer. 

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 22, 2019 7:34 AM
  • I'm still looking for some help with adding syntax to the script below that will save the Recovery Password to my AD server.

    $pass = ConvertTo-SecureString "MyPassword123" -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -SkipHardwareTest -EncryptionMethod Aes256 -Password $pass -PasswordProtector

    This script works and will encrypt the drive, but I need a Recovery Password and Password ID to be saved to AD.

    I've tried several different items, but just can't seem to get it.

    Any assistance would be most helpful.  Thanks.

    Friday, November 22, 2019 2:56 PM
  • $pass = ConvertTo-SecureString "PDCArea1928" -AsPlainText -Force

    Add-BitLockerKeyProtector -MountPoint "C:" -Password $pass -passwordprotector

    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -RecoveryPasswordProtector -skiphardwaretest -usedspaceonly

    That will work (does here). Set this as well and see that this GPO is applied before running the command:

    • Edited by Ronald Schilf Friday, November 22, 2019 3:06 PM
    • Marked as answer by timahh2 Friday, November 22, 2019 3:59 PM
    Friday, November 22, 2019 3:04 PM
  • Now that I have each of these separate scripts working, and enabling BitLocker for their respective Boot type; (Legacy vs. UEFI), I would like to try and take it a step further and combine them, so that we can add these to a login script and have the single script try to perform a check and enable BitLocker for either\both Boot type(s).

    Script 1 (For Legacy Boot (Password Based BitLocker))

    $pass = ConvertTo-SecureString "mypassword123" -AsPlainText -Force
    Add-BitLockerKeyProtector -MountPoint "C:" -Password $pass -PasswordProtector
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Password $pass -PasswordProtector

    Script 2 (For UEFI Boot (TPM PIN Based BitLocker))

    if ((Get-BitLockerVolume -MountPoint "C:").VolumeStatus -eq "FullyDecrypted") {
        try {
            #Check for existing Recovery Password from previous failed iterations
            $RecoveryPassword = ((Get-BitLockerVolume -MountPoint "C:").KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword"}).KeyProtectorID
            if (!$RecoveryPassword) {
                Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
                $RecoveryPassword = ((Get-BitLockerVolume -MountPoint "C:").KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword"}).KeyProtectorID
            }
            Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $RecoveryPassword
     $SecureString = ConvertTo-SecureString "12345678" -AsPlainText -Force
            Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -Pin $SecureString -TPMandPinProtector
        } catch {
            Write-Output "BitLocker encryption could not be enabled"
        }
    }

    If anyone has an idea as to how these 2 scripts can be combined so that we can perform a single deployment, that would be awesome.  Thanks.

    Wednesday, December 4, 2019 8:13 PM
  • Don't use a logon script but a startup script or an immediate scheduled task that runs as system account. Logon scripts run as user and will not have the required privileges.

    You could save the 2 code blocks as two scripts (tpm.ps1 and no_tpm.ps1) and call them in a batch like this:

    wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue |findstr TRUE && goto next
    
    powershell \\server\share\no_tpm.ps1
    
    goto end
    
    :next
    
    powershell \\server\share\tpm.ps1


    • Marked as answer by timahh2 Thursday, December 5, 2019 9:35 PM
    Thursday, December 5, 2019 9:16 AM
  • So, now that I have this working in my test environment, I am starting to mirror the setup in my Production environment.

    I have installed BitLocker and the BitLocker Network Unlock feature on my DC's, and am setting up the GPO's.

    The first thing I noticed within the object 

    Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

    I only have 6 policy objects under this object.

    On my test server I have 17 policy object.

    See images below.

    One of the missing objects is the "Allow network unlock at startup".

    The only difference is that my test server is Windows 2012, and my production server is version 2019.

    Is this normal?

    


    Tuesday, December 10, 2019 3:13 PM
  • No, not normal. You need to verify the administrative templates of your server, they must be outdated. The only possible explanation for having outdated templates on server 2019 is that you use a central store and within that central store, you have placed templates for server 2008 R2.

    • Marked as answer by timahh2 Thursday, December 12, 2019 7:53 PM
    Wednesday, December 11, 2019 7:30 AM
  • Okay.  Thanks for that.

    If I'm following you,  I went here:

    https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra

    My OS Build is "17763", which coincides with Version 1809.  I followed the instructions and ran the install, then copied the files from the C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2\PolicyDefinitions over to the new, manually created directory;

    \\domain controller\SYSVOL\PolicyDefinitions-1809

    I'm wondering if I missed a step, because when I re-launch Group Policy Management, the new\other GPO's are not listed.

    Any thoughts?

    Thursday, December 12, 2019 7:02 PM
  • I figured it out. Their instructions reference creating the PolicyDefinitions-1809 directory. Since that didn't work, what I tried was to rename the original PolicyDefinitions to PolicyDefinitionsOLD, and then renamed PolicyDefinitions-1809 to PolicyDefinitions.  I refreshed my GP Management console and voila.

    Thanks for the assistance.

    • Marked as answer by timahh2 Thursday, December 12, 2019 7:55 PM
    Thursday, December 12, 2019 7:55 PM
  • Okay.  I really have myself a dilemma now.  I mistakenly ran the script on all of our Company machines prior to having the GPO's enabled.  Therefor it did not save the recovery information into AD, as specified in my GPO.

    Luckily it does appear that the script has failed on some, but not all.

    As of right now, I only have one laptop that is inaccessible.  It is asking for the Recovery Key, but I don't have one in AD.

    This script is for my Legacy boot machines; (listed above), and I know the 8 digit, alpha-numeric password that was specified in the script.

    From the laptop's BitLocker boot-up, I have navigated to Advanced Options > Command Prompt and have tried utilizing the manage-bde with various options, (including the password), but I'm not getting anywhere.

    See output:

    Microsoft Windows [Version 10.0.17134.1]
    Not enough memory resources are available to process this command.

    X:\windows\system32>d:
    This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel.

    X:\windows\system32>c:

    C:\>manage-bde -protectors -get d:
    BitLocker Drive Encryption: Configuration Tool version 10.0.17134
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume D: [Label Unknown]
    All Key Protectors

        TPM:
          ID: {B55B6977-E956-490A-9052-D0BB50DDE389}
          PCR Validation Profile:
            0, 2, 4, 8, 9, 10, 11

        Numerical Password:
          ID: {62FB1BF7-6962-45A2-8B42-5BFD1FAC51FF}

    Does anyone have any thoughts\suggestions as to how I can get this drive unlocked without the Recovery Key, (but knowing the encryption password that was executed in my script)?

    Please let me know when you have a chance.  Thanks in advance.

    Friday, December 13, 2019 7:34 PM
  • Hm, it seems that your script did not work as expected. It did not set a PIN protector, so the TPM alone is protecting it. Question is: why would it ask for the recovery key at all and not just take the TPM's key?

    ...slowly...

    So your script ran and then what happened the next time you rebooted that laptop(s)?

    Friday, December 13, 2019 7:55 PM
  • That's just it, the end user called us and told us where things were at with the laptop.  The problem is that we don't know how far they went with it.  I'm guessing they probably initially received a prompt providing the recovery password, but probably skipped right past it.

    This is a legacy boot volume, so PIN\TPM should not be at play here.  Rather the password defined in the Legacy script.

    When I run

    manage-bde -unlock d: -pw

    I get...

    Enter the password to unlock this volume:

    I enter the password from my script, and I get...

    ERROR: The password failed to unlock volume D:

    So, one question is this...

    Is manage-bde -unlock d: -pw asking for the password in my script?  I assume it's not wanting the recovery password as that syntax would be...

    manage-bde -unlock d -RecoveryPassword 

    Let me know what you think.  Thanks.

    Friday, December 13, 2019 8:17 PM
  • You seem to misjudge this:

    "This is a legacy boot volume, so PIN\TPM should not be at play here."

    Of course it is a device with TPM. So says your output: "All Key Protectors...    TPM:.."

    So please acknowledge that you script has not set a password and not set a PIN, either. The TPM is active and the device should just start without needing to enter something at all. What does it do if you try to start it???

    If your answer comes "it demands the recovery key", then clearly, you must have changed something at bios level ->right after encrypting<- because else, it wouldn't want the recovery key.

    Friday, December 13, 2019 8:43 PM
  • It brings me to the BitLocker Recovery Key prompt.  Nothing was changed at the BIOS level.  The end user would have no idea how to do that.

    The scripts look like this.

    Script 1 (For Legacy Boot (Password Based BitLocker))

    $pass = ConvertTo-SecureString "mypassword123" -AsPlainText -Force
    Add-BitLockerKeyProtector -MountPoint "C:" -Password $pass -PasswordProtector
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -Password $pass -PasswordProtector

    Script 2 (For UEFI Boot (TPM PIN Based BitLocker))

    if ((Get-BitLockerVolume -MountPoint "C:").VolumeStatus -eq "FullyDecrypted") {
        try {
            #Check for existing Recovery Password from previous failed iterations
            $RecoveryPassword = ((Get-BitLockerVolume -MountPoint "C:").KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword"}).KeyProtectorID
            if (!$RecoveryPassword) {
                Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
                $RecoveryPassword = ((Get-BitLockerVolume -MountPoint "C:").KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword"}).KeyProtectorID
            }
            Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $RecoveryPassword
     $SecureString = ConvertTo-SecureString "12345678" -AsPlainText -Force
            Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -Pin $SecureString -TPMandPinProtector
        } catch {
            Write-Output "BitLocker encryption could not be enabled"
        }
    }

    Friday, December 13, 2019 9:12 PM
  • Could it be that your system disk is not GPT? With TPM 2.0, the key inside of the TPM would not be released unless the disk is formatted as GPT, so then it woulk be expected behavior that the recovery key is being asked for.

    ON cmd, use diskpart:

    diskpart

    list disk

    to see whether there is a * below GPT with that disk or not.

    Saturday, December 14, 2019 10:06 AM