So here at work we're in the process of Bitlocking 'important' users laptops and to help keep track and poll AD I went looking for a powershell script to accomplish this. I found a script here: https://gallery.technet.microsoft.com/ScriptCenter/4231a8a1-cc60-4e07-a098-2844353186ad/
Props to Jan Egil Ring, his relevant blog post is http://blog.powershell.no/2010/10/24/export-bitlocker-information-using-windows-powershell/ for creating the first iteration using Quests Powershell addons back in 2010.
I don;t use the QAD tools anymore so I went to work on configuring the script to run natively.
So this script generates a CSV with all computer objects with Windows 7 or 8, pulls the msTPM-OwnerInformation and msFVE-RecoveryInformation and marks the columns for the recovery key and TPM owner as either True or False.
Anyway here's the meat:
#
#
# NAME: Get-BitlockerEnabledComputer.ps1
#
# EDITTED BY: Benjamin Hart
# EMAIL: Invalid.path@gmail.com
#
# COMMENT: Script to retrieve BitLocker-information for all computer objects with Windows 7 or Windows Vista in the current domain.
#
# The information will be exported to a CSV-file containing the following information:
# -Computername
# -OperatingSystem
# -HasBitlockerRecoveryKey
# -HasTPM-OwnerInformation
#
# Required version: Windows PowerShell 1.0 or 2.0
# Requried privileges: Read-permission on msFVE-RecoveryInformation objects and Read-permissions on msTPM-OwnerInformation on computer-objects (e.g. Domain Admins)
#
#
#
import-module activedirectory
#Custom variables
$CsvFilePath = "path_to_csv"
set-location AD:
$bitlockerenabled = Get-ADObject -LDAPFilter '(objectclass=msFVE-recoveryInformation)' -Properties cn,distinguishedname | ForEach `
{
((($_ | Select -ExpandProperty DistinguishedName) -split ",?CN=")[2] -split ",")[0]
}
$computers = Get-ADComputer -filter * -Properties cn,OperatingSystem,msTPM-OwnerInformation | Where-Object {$_.operatingsystem -like "Windows 7*" -or $_.operatingsystem -like
"Windows 8*"} | Sort-Object msTPM-OwnerInformation
#Create array to hold computer information
$export = @()
read-host "Created array"
foreach ($computer in $computers)
{
#Create custom object for each computer
$computerobj = New-Object -TypeName psobject
#Add name and operatingsystem to custom object
$computerobj | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $computer.Name
$computerobj | Add-Member -MemberType NoteProperty -Name OperatingSystem -Value $computer.operatingsystem
#Set HasBitlockerRecoveryKey to true or false, based on matching against the computer-collection with BitLocker recovery information
if ($computer.cn -match ('(' + [string]::Join(')|(', $bitlockerenabled) + ')')) {
$computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $true
}
else
{
$computerobj | Add-Member -MemberType NoteProperty -Name HasBitlockerRecoveryKey -Value $false
}
#Set HasTPM-OwnerInformation to true or false, based on the msTPM-OwnerInformation on the computer object
if ($computer."msTPM-OwnerInformation") {
$computerobj | Add-Member -MemberType NoteProperty -Name HasTPM-OwnerInformation -Value $true
}
else
{
$computerobj | Add-Member -MemberType NoteProperty -Name HasTPM-OwnerInformation -Value $false
}
# $computerobj | add-member -membertype noteproperty -name recoveryguid -value $object.recoveryguid
#$computerobj | add-member -membertype noteproperty -name When-Created -value $computer.whencreated
#Add the computer object to the array with computer information
$export += $computerobj
}
#Export the array with computerinformation to the user-specified path
$export | Export-Csv -Path $CsvFilePath -NoTypeInformation | sort hastpm-ownerinformation -descending
read-host "Exported csv"
Showing posts with label Bitlocker. Show all posts
Showing posts with label Bitlocker. Show all posts
Wednesday, June 3, 2015
Monday, May 4, 2015
BitLocking an SSD
So today we ran into an issue encrypting an HP Z230 desktop with BitLocker. The desktop did have a TPM chip, which was enabled. The tech went through the typical Bitlocking steps.. enabling, performing the BL check and they it prompted for a reboot like normal.
Here's where it gets a little sticky, upon reboot the user was presented with an F1 to enter the BIOS. I do not know whether or not that was a function of Bitlocking since I have not tried it myself on a Z230 but he assures me the TPM was enabled and functioning properly. which I believe if TPM is disabled or otherwise unusable then BL should have cancelled itself or otherwise complained.
Anyway after that it proceeded to blue screen. Inspecting the disk inside the BIOS results in:
Nice huh? I had him reset to defaults the BIOS, no help. Changed SATA ports, no help. Changed from AHCI to SATA mode, disabled TPM, disabled secure boot.. nothing helped. There is no Recovery info in AD nor could the drive technically be encrypted because this was one reboot and encryption takes many hours.
he is currently trying to slave it onto a machine with Samsung Magician installed just to see what they're own utility reports.
In Googling I found https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/ and http://superuser.com/questions/700009/how-do-i-encrypt-samsung-840-ssd-with-bitlocker
Now from what I have read it's not just Samsung related, but they are popular so it stands to reason more people using them = more people encrypting.
I will obtain a test ssd and perform my own spelunking however this has stopped my plans for encrypting my own Z230 ;)
Here's where it gets a little sticky, upon reboot the user was presented with an F1 to enter the BIOS. I do not know whether or not that was a function of Bitlocking since I have not tried it myself on a Z230 but he assures me the TPM was enabled and functioning properly. which I believe if TPM is disabled or otherwise unusable then BL should have cancelled itself or otherwise complained.
Anyway after that it proceeded to blue screen. Inspecting the disk inside the BIOS results in:
Nice huh? I had him reset to defaults the BIOS, no help. Changed SATA ports, no help. Changed from AHCI to SATA mode, disabled TPM, disabled secure boot.. nothing helped. There is no Recovery info in AD nor could the drive technically be encrypted because this was one reboot and encryption takes many hours.
he is currently trying to slave it onto a machine with Samsung Magician installed just to see what they're own utility reports.
In Googling I found https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/ and http://superuser.com/questions/700009/how-do-i-encrypt-samsung-840-ssd-with-bitlocker
Now from what I have read it's not just Samsung related, but they are popular so it stands to reason more people using them = more people encrypting.
I will obtain a test ssd and perform my own spelunking however this has stopped my plans for encrypting my own Z230 ;)
Friday, May 1, 2015
BitLocker - A short story on how to setup in a domain.
Bitlocker, well in case you've never heard of it is a data encryption method developed by Microsoft for use on the 'recent' Windows platform, OS requirements include:
Windows Vista/7 - Ultimate and Enterprise
Windows 8/8.1/2008/Later - Professional and Enterprise
BitLocker meets FIPS 140-2 using AES encryption.
Now having recently gone through this in my own company I can say it was MUCH less painful that I ever thought it could have been previously. First off make sure your domain is at least a functional level of 2008. If you are still on a 2003 level you will need to extended the schema. I did not have so you;d need to Google-Fu up the procedures on doing that.
Now one of the first things I did was go here:
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
I used the Add-TPMSelfWriteACE.vbs script to make sure the access control entry for TPM in AD was created.
Windows Vista/7 - Ultimate and Enterprise
Windows 8/8.1/2008/Later - Professional and Enterprise
BitLocker meets FIPS 140-2 using AES encryption.
Now having recently gone through this in my own company I can say it was MUCH less painful that I ever thought it could have been previously. First off make sure your domain is at least a functional level of 2008. If you are still on a 2003 level you will need to extended the schema. I did not have so you;d need to Google-Fu up the procedures on doing that.
Now one of the first things I did was go here:
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
I used the Add-TPMSelfWriteACE.vbs script to make sure the access control entry for TPM in AD was created.
- Download and review Add-TPMSelfWriteACE.vbs (http://go.microsoft.com/fwlink/?LinkId=167133) from the download page.
- Modify Add-TPMSelfWriteACE.vbs as appropriate for your environment.
- Type the following at a command prompt, and then press ENTER:cscript Add-TPMSelfWriteACE.vbs
Then I created the GPO that would require the Recovery Key to be stored within AD:
Now quite honestly.. once those were done I took a test laptop.. enabled the TPM within the bios. I enabled BitLocker and let it do the hardware check. It rebooted once, came back up and proceeded to encrypt the drive which took like 6 hours for a 500gb drive.
Once complete I verified the Recovery Key was stored in AD under the computer object:
Boom, done. I didn't really notice any performance hit after the encryption process completed however admittedly this is not my main machine so I need to use it for a while to better gauge that.
Subscribe to:
Posts (Atom)