A quick post on how to check Bitlocker compliance where all computers with “Hardware” encryption is used will also be marked as non compliant which can be useful after the recent security advisory for SSD’s with Hardware encryption:
https://redmondmag.com/articles/2018/11/06/microsoft-ssd-security-advisory.aspx?fbclid=IwAR21wX_6S32eyqdRXDeoNqdjb6DZw8UPNXT_d2FQ8pdH52Jop9lvx7g6Tko
And the Security advisory from Microsoft on the topic.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028
This started with a discussion with Mattias Borg,@MattiasBorg82 – http://Sec-labs.com and input from Robert Israelsson and the rest in System center user group Sweden – SCUG.SE awesome!
But only checking for Hardware encryption would not be any fun so we check that Encryption is enabled as well, so all machines without Bitlocker enabled will also be flagged as “Non-compliant” which is great as they also need attention. So we get double benefit of the compliance check. If you would want to check for just “Hardware” encryption the values that are returned by Powershell is:
None
Aes128Diffuser
Aes256Diffuser
Aes128
Aes256
Hardware
XtsAes128
XtsAes256
Unknown
You can also remove any encryption-methods that you shouldn’t be using from the list below so they are marked as non-compliant as well.
The PowerShell script:
$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }
switch ($BitlockerVolume.encryptionmethod) {
Aes128 { $true }
Aes256 { $true }
Aes128Diffuser { $true }
Aes256Diffuser { $true }
XtsAes128 { $true }
XtsAes256 { $true }
Default { $false }
}
We put that in a Configuration Item with the settings type “Script” and Data Type “Boolean” as shown below.
With the following Compliance rule:
If we only want to catch all drives with Hardware encryption the Powershell script can be edited to only check for that. (haven’t tested it, I don’t have disk with HW encryption.)
$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }
switch ($BitlockerVolume.encryptionmethod) {
Hardware { $false }
Default { $True }
}
The .Cab file with the basline and CI can be downloaded from Github https://github.com/SweJorgen/SCCM-Configuration-Items
I hope this is useful
I wish I would have seen this earlier. I wrote a script earlier this morning to find any computers that had Hardware Encryption.
You can find it on my post below:
https://www.joseespitia.com/2018/11/07/sccm-script-to-identify-systems-vulnerable-to-adv180028/
Running SCCM 1806, imported the cab file and deployed to a test machine, but compliance rule comes back as an error.
If l run the powershell script manually, l get the following error, Invalid Character Line 1 Char 1
Nice! I took a slightly different approach, but using the same methodology, but I don’t think we have any hardware encryption machines in our environment either.
I used:
Get-WmiObject -namespace “Root\cimv2\security\MicrosoftVolumeEncryption” -ClassName “Win32_Encryptablevolume” -filter “DriveLetter = ‘C:'” | Select-Object -ExpandProperty EncryptionMethod
This returns an integer and I used a compliance rule to check that it’s not equal to 5. If it isn’t – it was compliant, and if not, it was non-compliant.
Doing some research, it seems a lot of things need to be true for hardware encryption to occur on its own.
When I run you script locally the result comes back as True (as it should). But in SCCM my compliance state shows up as Error. What am I doing wrong here?
I also have 2 additional rules
machines where BitLocker is suspended
machines that checks for tpm problems using Get-TPM
Hi,
That sounds like a good solution!
Regards,
Jörgen