Jump to content

A How to Guide on Managing Bitlocker Encryption with Pulseway


Carl T

Recommended Posts

A number of folks have requested the ability to manage bitlocker with Pulseway, so I thought I would share how I am doing this with Powershell scripts and Pulseway's custom fields feature. 

First, you will need to create a custom fields in Pulseway (Automation Tab --> Custom Fields). This fields should be a text variable that has the system context. I personally have 3, BitlockerKey, Protection Status (On/Off), and BitLockerVolumeStatus. BitlockerKey is probably the one most people will care about. . 

image.png.7df3b09cd4bb052e976c4122fb273cac.png

After Configuring the Custom fields, you will then need to create your PowerShell script. Notice you have inputs and outputs. You will want to click New for output. Name it what you wish, ensure it is a text variable type, and then turn on "set Custom Field Value"

image.png.1d370e8645f049607d6737568ed275a2.png

Now we toggle the flag for it being a windows powershell script. You should see in the top that it has created a comment #outputs with your defined output variable assigned the default value you gave it. 

Now we have our script: Update as of 4/18/2021, script now tracks 3 custom fields and will account for if a drive is encrypted but protection is off and no protectors have been added yet.

# Outputs
$ProtectionStatus = "na"
$recoveryKey = "na"
$VolumeStatus = "na"
#region functions
function Start-BitlockerEnable {
    Enable-BitLocker -MountPoint c: -EncryptionMethod XtsAes128 -UsedSpaceOnly -TpmProtector
    $today = Get-Date
    $scheduledtime = $today.Date.AddHours(23)
    [int]$SecondsToMidnight = ($scheduledtime - $today).TotalSeconds
    shutdown /r /t $SecondsToMidnight
    msg.exe * "Bitlocker Encryption has been enabled. A reboot is needed before the encryption will apply and has been scheduled for $scheduledtime local time. You can reboot before this if you prefer."
    #start-sleep 90
    #msg.exe * "This Computer will reboot in 30 seconds to bitlocker Encryption"
    #start-sleep 30
    #Restart-computer -force
}
#endregion functions

#region execution
$BitLockerStatus = Get-BitLockerVolume -MountPoint c:
if ((Get-Tpm).tpmpresent -eq $true) {
    #If Volume is in the process of encrypting or decrypting the Volume status will not say fully. Don't make changes when it changes
    if (($BitLockerStatus.ProtectionStatus -match 'off') -and ($bitlockerstatus.VolumeStatus -notmatch 'progress')) {
        #NoBitlocker is enabled so run it.
        if ($BitLockerStatus.VolumeStatus -eq 'FullyDecrypted') {
            $recoverykey = $BitLockerStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
            if(!($recoveryKey)){
                Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector
            }
            $newStatus = Get-BitLockerVolume -MountPoint c:
            $recoverykey = $newStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
            Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait
            if ($newStatus.KeyProtector -match 'Recovery') {
                Start-BitlockerEnable
            }
        }
        #Bitlocker must be Partially enabled where drive is fully encrypted, but protection is off and no protectors exist.
        #Typically this is using xtsAES128 so you may wish to disable-bitlocker, then re-enable it with your protectors and prefered encryption level.
        else{
            Disable-BitLocker -MountPoint 'c:'
            $decryptInProgress = $true 
            While($decryptInProgress -eq $true){
                $decryptstatus = Get-BitLockerVolume -MountPoint 'c:'
                if($decryptstatus.VolumeStatus -match 'progress'){
                    Start-Sleep 2
                }
                else{
                    $decryptInProgress = $false
                }
            }
            Add-BitLockerKeyProtector -MountPoint c: -RecoveryPasswordProtector
            $newStatus = Get-BitLockerVolume -MountPoint c:
            $recoverykey = $newStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
            Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait
            if ($newStatus.KeyProtector -match 'Recovery') {
                Start-BitlockerEnable
            }
        }
    }
    #BitLocker should already be enabled so log keys, volume status etc. 
    else {
        $recoverykey = $BitLockerStatus.KeyProtector | Select-Object -ExpandProperty recoverypassword
        $ProtectionStatus = $BitLockerStatus.ProtectionStatus
        $VolumeStatus = $BitLockerStatus.VolumeStatus
        Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait
        Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable ProtectionStatus ""$ProtectionStatus""") -Wait
        Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable VolumeStatus ""$VolumeStatus""") -Wait
    }
}
else {
    $recoverykey = 'NoTpm'
    Start-Process -FilePath "$env:PWY_HOME\CLI.exe" -ArgumentList ("setVariable recoveryKey ""$recoveryKey""") -Wait
}
#endregion execution

You can modify the above script as you wish. I personally have gone with a bit of a cautious approach where it will not skip the hardware check which will reboot the pc, but for me I prefer this approach to having it encrypt the drive without checking tpm is all good which could then result in the drive being encrypted and locking out the end user. 

 

At the end of all this, you now should be able to Both Enable bitlocker encryption as well as pull your recovery keys from pulseway like so :

image.png.55c716a1614c678458c6340fa85a3b16.png
 

Edited by Carl T
Few word edits.
Link to comment
Share on other sites

  • 2 months later...

I really appreciate this Carl T. Tremendously helpful and I can't wait to try it out.

Does anyone know why I'm not finding the ability to create custom fields under the Automation tab? I'm running the free license for 2 users (to try this out long term before we purchase this and push it company-wide) so I'm wondering if that's the reason. We're not quite ready for the timed trial, but if this is something to add to the list of things to do during the trial (along with remote access) then that's fine, I'm just looking for confirmation on that.

I'm looking at both the browser version of Pulseway as well as the Android version and I'm just not seeing it.

Link to comment
Share on other sites

  • 2 months later...
  • 2 months later...
On 10/19/2021 at 3:04 PM, Janet said:

Hi,

Where I can add the variable?

I believe there was a mistake in the guide which I think applies to you.

In the guide, where it says:

On 4/16/2021 at 11:21 AM, Carl T said:

... After Configuring the Custom fields, you will then need to create your PowerShell script. Notice you have inputs and outputs. You will want to click New for output. Name it what you wish, ensure it is a text variable type, and then turn on "set Custom Field Value"

image.png.1d370e8645f049607d6737568ed275a2.png

You actually don't want the Output name to be anything other than what matches the variable(s) in the script. For this guide, you would want to name the Output either ProtectionStatus, recoveryKey, or VolumeStatus. You'll notice after you create the Output, its name is a variable at the top of your script. I simply removed the already mentioned (same-named) variable from the top of Carl T's original script. The alternative to all of this is you can change the script's variable names to match your Output name but that's extra effort.

I should note that the names of custom fields can be whatever you'd like, those don't have to match anything.

Edited by Fred_BD
Link to comment
Share on other sites

  • 2 months later...

I am having an issue where nothing is put into the custom variables.  Through trial and error running the commands in Powershell, I see that the commands that run CLI.exe give an error "Missing Pulseway execution cookie".  I'm assuming there's something I'm missing?  I was able to produce this error by adding -NoNewWindow to the end of the CLI.exe statements, otherwise it wouldn't report the error.

Ex. Start-Process -FilePath "C:\Program Files\Pulseway\CLI.exe" -ArgumentList ("setVariable recoverykey ""$recoverykey""") -Wait -NoNewWindow

Edit:

So I figured out what caused this error, I have the Powershell User Impersonation enabled to a domain account.  When I unchecked that box, everything worked.

Edited by Jason Hollinden
Link to comment
Share on other sites

  • 4 months later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...