Jump to content

A How to Guide on Managing Bitlocker Encryption with Pulseway


Carl T
 Share

Recommended Posts

A number of folks have requested the ability to manage bitlocker with Pulseway, so I thought I would share how I am doing this with Powershell scripts and Pulseway's custom fields feature. 

First, you will need to create a custom fields in Pulseway (Automation Tab --> Custom Fields). This fields should be a text variable that has the system context. I personally have 3, BitlockerKey, Protection Status (On/Off), and BitLockerVolumeStatus. BitlockerKey is probably the one most people will care about. . 

image.png.7df3b09cd4bb052e976c4122fb273cac.png

After Configuring the Custom fields, you will then need to create your PowerShell script. Notice you have inputs and outputs. You will want to click New for output. Name it what you wish, ensure it is a text variable type, and then turn on "set Custom Field Value"

image.png.1d370e8645f049607d6737568ed275a2.png

Now we toggle the flag for it being a windows powershell script. You should see in the top that it has created a comment #outputs with your defined output variable assigned the default value you gave it. 

Now we have our script: Update as of 4/18/2021, script now tracks 3 custom fields and will account for if a drive is encrypted but protection is off and no protectors have been added yet.

# Outputs
$ProtectionStatus = "na"
$recoveryKey = "na"
$VolumeStatus = "na"
#region functions
function Start-BitlockerEnable {
    Enable-BitLocker -MountPoint c: -EncryptionMethod XtsAes128 -UsedSpaceOnly -TpmProtector
    $today = Get-Date
    $scheduledtime = $today.Date.AddHours(23)
    [int]$SecondsToMidnight = ($scheduledtime - $today).TotalSeconds
    shutdown /r /t $SecondsToMidnight
    msg.exe * "Bitlocker Encryption has been enabled. A reboot is needed before the encryption will apply and has been scheduled for $scheduledtime local time. You can reboot before this if you prefer."
    #start-sleep 90
    #msg.exe * "This Computer will reboot in 30 seconds to bitlocker Encryption"
    #start-sleep 30
    #Restart-computer -force
}
#endregion functions

#region execution
$BitLockerStatus = Get-BitLockerVolume -MountPoint c:
if ((Get-Tpm).tpmpresent -eq $true) {
    #If Volume is in the process of encrypting or decrypting the Volume status will not say fully. Don't make changes when it changes
    if (($BitLockerStatus.ProtectionStatus -match 'off') -and ($bitlockerstatus.VolumeStatus -notmatch 'progress')) {
        #NoBitlocker is enabled so run it.
        if ($BitLockerStatus.VolumeStatus -eq 'FullyDecrypted') {
            $recoverykey = $BitLockerStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
            if(!($recoveryKey)){
                Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector
            }
            $newStatus = Get-BitLockerVolume -MountPoint c:
            $recoverykey = $newStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
            Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait
            if ($newStatus.KeyProtector -match 'Recovery') {
                Start-BitlockerEnable
            }
        }
        #Bitlocker must be Partially enabled where drive is fully encrypted, but protection is off and no protectors exist.
        #Typically this is using xtsAES128 so you may wish to disable-bitlocker, then re-enable it with your protectors and prefered encryption level.
        else{
            Disable-BitLocker -MountPoint 'c:'
            $decryptInProgress = $true 
            While($decryptInProgress -eq $true){
                $decryptstatus = Get-BitLockerVolume -MountPoint 'c:'
                if($decryptstatus.VolumeStatus -match 'progress'){
                    Start-Sleep 2
                }
                else{
                    $decryptInProgress = $false
                }
            }
            Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector
            $newStatus = Get-BitLockerVolume -MountPoint c:
            $recoverykey = $newStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
            Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait
            if ($newStatus.KeyProtector -match 'Recovery') {
                Start-BitlockerEnable
            }
        }
    }
    #BitLocker should already be enabled so log keys, volume status etc. 
    else {
        $recoverykey = $BitLockerStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
        $ProtectionStatus = $BitLockerStatus.ProtectionStatus
        $VolumeStatus = $BitLockerStatus.VolumeStatus
        Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait
        Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable ProtectionStatus ""$ProtectionStatus""") -Wait
        Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable VolumeStatus ""$VolumeStatus""") -Wait
    }
}
else {
    $recoverykey = 'NoTpm'
    Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoveryKey ""$recoveryKey""") -Wait
}
#endregion execution

You can modify the above script as you wish. I personally have gone with a bit of a cautious approach where it will not skip the hardware check which will reboot the pc, but for me I prefer this approach to having it encrypt the drive without checking tpm is all good which could then result in the drive being encrypted and locking out the end user. 

 

At the end of all this, you now should be able to Both Enable bitlocker encryption as well as pull your recovery keys from pulseway like so :

image.png.55c716a1614c678458c6340fa85a3b16.png
 

Edited by Carl T
Few word edits.
Link to comment
Share on other sites

  • 2 months later...

I really appreciate this Carl T. Tremendously helpful and I can't wait to try it out.

Does anyone know why I'm not finding the ability to create custom fields under the Automation tab? I'm running the free license for 2 users (to try this out long term before we purchase this and push it company-wide) so I'm wondering if that's the reason. We're not quite ready for the timed trial, but if this is something to add to the list of things to do during the trial (along with remote access) then that's fine, I'm just looking for confirmation on that.

I'm looking at both the browser version of Pulseway as well as the Android version and I'm just not seeing it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Similar Content

    • By Jamie Taylor
      Pulseway Client Portal now includes a built-in chat function that allows the end user to communicate directly with a technician. This can be started automatically as a step in a troubleshooter, or you can give users the option to start it directly themselves.   A summary of the chat is recorded and can be sent to the technician. Automation Workflows: Run assigned patch policy
      Start patching systems as they get added to Pulseway using the new Run Assigned Patch Policy action, now available for the System Registered workflow trigger.
      Remote Desktop Improvements
      Introducing Adaptive FPS to deliver the optimum resolution for the current network connection, resulting in an enhanced user experience.
       
    • By Jamie Taylor
      BitDefender: In-product trial set-up, purchasing and provisioning now available
      We have made it easier to quickly get the EDR protection you need by making it possible to trial, purchase and provision Bitdefender AV, including EDR, from within the Pulseway RMM. Users can set up a free trial from the AntiVirus section of the WebApp, then purchase directly from the billing section. The new license can than be provisioned directly from the WebApp as well.
      Remote Control for macOS Performance Enhancements
      We have launched an improved Remote Control engine for macOS that delivers speed and performance enhancements. The latest release also introduces support for monitor selection.
    • By Tim Hall
      After receiving a verification on my phone I get this nasty gram.
       
      So far:
      .Net 4.0 install was blocked because a later version was already installed. So I don't think it is a .net version issue.
      Any help would be appreciated.
       
      --Tim

      I blocked out the server name to keep it annonymous
      I blocked out the server name to keep it anonymous. Also, please ignore the localhost:8443 page. It is irrelevant as far as I know.
    • By Jamie Taylor
      You can now trigger workflow executions from Performance Counter notifications and evaluate Name, Category and Instance in conditions to build even more customizable workflows for your IT processes.
    • By Jamie Taylor
      You can now create interactive, conditional troubleshooters that can be used to ask questions, provide answers, and run self remediation scripts and tasks based on user input. Pulseway's Client Portal can be used to standardize IT processes, empower end-users and reduce the workload on your support team.

       

       
×
×
  • Create New...