Automox Worklet: Enforce BitLocker Encryption

The following Automox Worklet allows you to force BitLocker encryption.

The Evaluation code requests BitLocker status for all physical disk drives on the target device. It then compares the count of encrypted drives to the total number present. If all drives are encrypted then it will return Compliant (Exit 0). Otherwise, it returns Non-Compliant (Exit 1).

For information on how to use or create an Automox Worklet, see the following resources:

Automox Worklet: Enforce BitLocker Encryption

Important Note: This Worklet requires PowerShell 4.0 and above and Windows 8 and later to run properly.

To deploy this endpoint hardening Worklet, do the following:

  1. Log in to your Automox Console.
  2. Navigate to the System Management page and click Create Policy in the upper right-hand section of the screen.
  3. Choose Windows under Worklet.

Screen Shot 2019-10-14 at 4.09.21 PM

4. Copy and paste the Evaluation and Remediation code scripts from below. The evaluation code keeps you apprised of each device’s ongoing compliance, as well as flags the device for remediation. The remediation code enforces this setting on the schedule you define.

5. Change the values as described in the code so that they match your needs. 

Please do note that the remediation code has one editable variable ($keyPath). Use this to define where the recovery key will be stored. The recovery key is necessary to decrypt the drive, should that become necessary in the future. This Worklet initially runs a similar check as the evaluation code to enumerate each physical drive that is not encrypted. Using this information, it starts encryption on each of these drives and exports the recovery key to a text file in the previously specified location.

Evaluation:

#Get BitLocker status for All Drives
try { $encryption = Get-BitLockerVolume -ErrorAction Stop }
catch { Write-Output "Unable to determine BitLocker status" }
 
# Count Drives and initialize lists for later output
$numDrives = $encryption.Count
$encCount = 0
$encrypted = @()
$unencrypted = @()
 
# Loop through each drive and see if it is Protected or Note
# Add to the appropriate list, Encrypted or Unencrypted
foreach ($drive in $encryption) {
    $encStatus = $drive.ProtectionStatus
    $encInProgress = $drive.VolumeStatus
    if ( ($encStatus -match 'On') -or ($encInProgress -match "EncryptionInProgress") ) {
        $encrypted += $drive.MountPoint
        $encCount++
    } else {
        $unencrypted += $drive.MountPoint
    }
}
 
# Output drive statuses so the can be seen in the Activity Log
Write-Output "Encrypted Drives: $encrypted`n"
Write-Output "Unencrypted Drives: $unencrypted`n"
 
# Determine Compliant based on if the number of Encrypted
# Drives matches the number of Total Drives
if ($encCount -eq $numDrives) {
    Write-Output "Compliant"
    exit 0
} else {
    Write-Output "Non-Compliant"
    exit 1
}
 
 

Remediation:

# Define where you want your Recovery Key to be exported
# Note that this needs to be a local (non-network) drive.
$keyPath = 'C:\temp'
 
$toEncrypt = Get-BitLockerVolume | Where-Object { $_.VolumeStatus -match 'Decrypted' }
 
# Loop through each Unencrypted Drives
# Enable Bitlocker and Export their Recovery Keys
foreach ( $drive in $toEncrypt ) {
    $driveLetter = $drive.MountPoint.Replace(':','')
    try {
        #Enable Bitlocker
        Enable-BitLocker -MountPoint $driveLetter -EncryptionMethod Aes128 -RecoveryPasswordProtector | Out-Null
        
        #Export Key and Key ID to a File
        $recID = (Get-BitLockerVolume -MountPoint $driveLetter).KeyProtector.KeyProtectorID
        $recKey = (Get-BitLockerVolume -MountPoint $driveLetter).KeyProtector.RecoveryPassword
        Set-Content -Path "$keyPath\BitlockerRecoveryKey_$driveLetter.txt" -Force -Value "Recovery Key ID: $recID"
        Add-Content -Path "$keyPath\BitlockerRecoveryKey_$driveLetter.txt" -Value "Recovery Key: $recKey"
    } catch {
        Write-Output "Unable to Encrypt $($drive.MountPoint)"
    }
}
 
 

6. Click Create Worklet.
7. Assign Worklet to a group or multiple groups and click Save Changes.
8. Execute the Worklet by clicking the Execute Policy Now button.

If you need technical assistance, contact our support team at support@automox.com.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure. 

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial