michaelsendpoint.com

Appearance

BitLocker powershell

Drive encryption and Entra ID upload

powershell
<#  
    .NOTES
    -------------------------------------------------
     Created on:    22.07.2024
     Created by:    Michael Frank
     Organization:  [Company]
     Filename:      [File].ps1
     Updated on:    22.07.2024
     Version:       1.0.0
    -------------------------------------------------

    .DESCRIPTION
        This script checks every fixed drive for encryption, encrypts them if not encrypted and uploads the keys to Entra.
#>

# Gets fixed drives with no label so to not get Google Drives for example
$drives = [System.IO.DriveInfo]::GetDrives() | Where-Object { $_.DriveType -eq "Fixed" -and $_.VolumeLabel -eq "" } | Select-Object Name, DriveType, VolumeLabel, TotalSize, AvailableFreeSpace

# Loops through all drives and checks if they are encrypted
foreach($drive in $drives) {
    $bit = Get-BitLockerVolume -mountpoint $drive.name
    If (!$bit){

        # Encrypts the drive with BitLocker
        Enable-BitLocker -MountPoint $drive.name -EncryptionMethod Aes256 -RecoveryKeyProtector
    }

    # Uploads the recovery key to Entra ID
    $recoveryPasswordProtector = $bit.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
    BackupToAAD-BitLockerKeyProtector -MountPoint $drive.name -KeyProtectorId $recoveryPasswordProtector.KeyProtectorId
}

Encryption strenght remediation

This is a Remediation script for the BitLocker encryption strength. If your Systems are encrypted with AES 128 bit encryption or not encrypted at all, this script will remediate them to AES 256 bit encryption. This sometimes happen if you bye from huge vendors like HP or Dell. You Still need to upload the recovery key to Entra ID or AD after this.

Detection

powershell
<#  
    .NOTES
    -------------------------------------------------
     Created on:    27.07.2024
     Created by:    Michael Frank
     Organization:  [Company]
     Filename:      aes256_encryption_detection.ps1
     Updated on:    27.07.2024
     Version:       1.0.0
    -------------------------------------------------

    .DESCRIPTION
        Script checks if OS disk has AES 256 bit encryption.
#>

# Gets OS drive
$osdrive = get-bitlockervolume | Where-Object { $_.ProtectionStatus -eq "On" -and $_.VolumeType -eq "operatingSystem" } | Select-Object MountPoint, EncryptionMethod

if (-not $osdrive.EncryptionMethod -eq "XtsAes256") {
#Remediation runs
    exit 1
} else {
#Remediation does not run
    exit 0
}

Remediation

powershell
<#  
    .NOTES
    -------------------------------------------------
     Created on:    27.07.2024
     Created by:    Michael Frank
     Organization:  [Company]
     Filename:      aes256_encryption_remediation.ps1
     Updated on:    27.07.2024
     Version:       1.0.0
    -------------------------------------------------

    .DESCRIPTION
        Script activates Windows OS.
#>

# Gets OS drive
$osdrive = get-bitlockervolume | Where-Object { $_.ProtectionStatus -eq "On" -and $_.VolumeType -eq "operatingSystem" }

# Checks if BitLocker is even on and if so, disables it
if ($osdrive.ProtectionStatus -eq "On") {
  # If the volume that hosts the operating system contains any automatic unlocking keys, the cmdlet does not proceed. Clear-BitLockerAutoUnlock cmdlet removes all automatic unlocking keys.
  Clear-BitLockerAutoUnlock
  
  # Decrypt OS Drive
  Disable-BitLocker -MountPoint $osdrive.MountPoint
  
  #Sleep to give time for BitLocker to disable
  Start-Sleep -Seconds 300

  # Removes these 2 BitLocker policies, so that the next time the system starts, the system doesnt prompt for a password and it doesnt get loaded to AD.
  Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "OSRecoveryPassword"
  Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "OSRequireActiveDirectoryBackup"
}
else {
  # If BitLocker is not active yet, the $osdrive has no value and the next command would fail.
  $osdrive = [PSCustomObject]@{
    MountPoint = "C:"
  }
}

# Enable BitLocker again with the higher encryption only on used space (Encryption will start only after a restart).
Enable-BitLocker -MountPoint $osdrive.MountPoint -EncryptionMethod Aes256 -TpmProtector -UsedSpaceOnly

$osdrive = get-bitlockervolume | Where-Object { $_.VolumeType -eq "operatingSystem" }

if ($osdrive.EncryptionMethod -eq "Aes256") {
    # success
    Write-Host "Windows has been activated successfully." -ForegroundColor Green
    exit 0
}
else {
    # failed
    exit 1
}
    ```

Copyright © 2024 Michael Frank