A *NEW* Kaseya Community is coming! The Community will be going into read-only mode on 9/28. Get more details: https://www.community.connectit.com/discussion/41381/a-new-kaseya-community-is-coming

Enable Bitlocker

Paul Fuggles
Paul Fuggles Member
edited June 20 in Solutions

Product Name: Enable Bitlocker

Description : 2 agent procedures to check if Bitlocker can be enabled, check hard drive configuration and perform the necessary turn it on and capture the status and recovery password to custom fields

Instructions :

Create 2 custom fields called "Bitlocker Status" and "Bitlocker Recovery Key"

Import Procedure Get Bitlocker Status and Recovery Password.xml

Procedure Enable Bitlocker.xml

There is a readme in the zip with further information

Comments

  • Russ Stewart
    Russ Stewart Member
    edited May 2018
    I will test shortly but I've been wanting this. Thanks to Kaseya for helping everyone with the leg work.
  • Jonathan Weaver
    edited May 2018
    Russ - I am in the middle of deployment to approximately 50 machines - things are going smoothly with this script.
  • matthew jordan
    edited September 2018

    Hi Russ,  I seem to get an output of 0, on some machines (even though the script does enable Bitlocker.   Have you ever see that?

  • Phil Case
    Phil Case Member
    edited September 2018

    I've seen this. I think it's because the format of the output can change so the steps which scan the output for the key string pick up the wrong line.

    I haven't had time to look into modifying the script and we don't use it on large numbers of clients so I've taken to connecting to the client through Liveconnect, and running the command line to pick up the key.

    ">c:\> manage-bde -protectors -get c:

    BitLocker Drive Encryption: Configuration Tool version 10.0.17134
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Volume C: [Windows]
    All Key Protectors

        Numerical Password:
          ID: {46545517-3597-4FBA-BF5C-xxxxxxxxxxxxxxxx}
          Password:
            440869-524645-375749-109890-574409-712613-513139-xxxxxx

        TPM:
          ID: {9217F44E-5592-4B43-86A3-FCAxxxxxxxxxxx}
          PCR Validation Profile:
            7, 11
            (Uses Secure Boot for integrity validation)

    Hope that helps or gives you a pointer

  • matthew jordan
    edited September 2018

    Awesome many thanks.

  • John Rutkowski
    John Rutkowski Member CHOCOLATE MILK
    edited September 2018

    I'm getting a "The" in the Bitlocker Recovery Key field. This turns out to be a machine that TPM is not enabled on, hence it can't run Bitlocker. So some other logic needs to be added.

    The two files it created are 

    BITLOCKERSTATUS.TXT

    BitLocker Drive Encryption: Configuration Tool version 10.0.15063

    Copyright (C) 2013 Microsoft Corporation. All rights reserved.


    ERROR: The volume C: could not be opened by BitLocker.

    This may be because the volume does not exist, or because it is not a valid

    BitLocker volume.

    BitlockerProtectors.TXT
    BitLocker Drive Encryption: Configuration Tool version 10.0.15063
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    ERROR: An error occurred (code 0x80070057):
    The parameter is incorrect.
  • Rod Wittig
    Rod Wittig Member
    edited November 2018

    Has anyone figured out how to resolve the issue with the manage-bde -protectors -get c: output being different from machine to machine with this script?  I have machines reporting the Numerical Password first and then the TPM.  The result of this script is that on those machines I usually end up with either (Uses or a single number.


  • Daniel Voller
    Daniel Voller Member CHOCOLATE MILK
    edited November 2018

    I haven't but I added an extra line to the script that grabs the text file it writes the output to and uploads to the vsa. Can then refer to it via the procedures get file section.

  • Jesse Donk
    Jesse Donk Member
    edited November 2018

    i changed: Manage-bde -protectors -get c: | Out-File "#AgentWorkingDirectoryPath#\BitlockerProtectors.txt" to: Manage-bde -protectors -get -type recoverypassword c: | Out-File "#AgentWorkingDirectoryPath#\BitlockerProtectors.txt" This way, only the recoverykey is shown, and its ensured that that is what you save to Kaseya.

  • Rob.van.der.Meijden
    Rob.van.der.Meijden Member CHOCOLATE MILK
    edited January 2019

    On 1 PC it works fine but on an other pc the procedure is not working and retry every 35 minutes. In the bitlocker status field I get the error "Hard drive is not configured".

    In the agent procedure log I fount the error. "response from BDEHDCFG (enable): BitLocker Drive Preparation Tool version 10.0.17763 Copyright (C) 2013 Microsoft Corporation. All rights reserved. BitLocker Drive Preparation Tool version 10.0.17763 Copyright (C) 2013 Microsoft Corporation. All rights reserved. The minimum size for the new partition is 1085 megabytes. Please specify a size of at least 1085. Example: -size 1085". The PC has only got 1 partition.

  • Dean Baldwin
    Dean Baldwin Member
    edited July 2019

    While this is recovering the bitlocker key it is not writing a true/false to the bitlocker status field. Can you help with this?

  • DmitrijKondrasov
    DmitrijKondrasov Member, Managed Service Provider
    edited August 2019

    Is it possible to send email with Recovery Key and Machine ID?

  • jacky
    jacky Member
    edited September 2019

    Hi The script is not working for my machines is it due to the Windows Version? Or additional line or command have to added into this script? 

  • Devon Kimbrough
    edited February 2020

    For some reason after I upload the Enable Bitlocker XML file to Kaseya, it will not show in the procedures file tree. I've never had any issues uploading any other procedures. Has this happened to anyone else?

  • btrabaris@portebrown.com
    edited February 2020

    For alot of the procedures on this website I have to download the xml and copy and paste the entire script to the import folder/procedure section.

  • CLAYTON HABLINSKI
    edited March 2021

    It's run against 7 machines so far and the attributes arent being populated. Seeing this a lot in the procedure log: Error - unable to detect shell command results. 

  • GlennHussein
    GlennHussein Member, IT Pro CHOCOLATE MILK

    Hard drive is not configured - any update on what to do with that Error ?

  • FordALT
    FordALT Member, Managed Service Provider CHOCOLATE MILK

    Getting this:
    FAILED in processing THEN step 10, Update System Info, with error Database access error, Failed SQL command: IF EXISTS (SELECT agentGuid FROM auditRsltManualFieldValues WHERE ((agentGuid = ?) AND (fieldNameFK IN (SELECT id FROM auditRsltManualFields WHERE ((fieldName = ?) AND (partitionId = (SELECT partitionId FROM machNameTab WHERE agentGuid = ?))))))) UPDATE auditRsltManualFieldValues SET fieldValue = ? WHERE ((agentGuid = ?) AND (fieldNameFK IN (SELECT id FROM auditRsltManualFields WHERE ((fieldName = (Line 19)