Bitlocker Compliance using SCCM including Hardware encryption check

A quick post on how to check Bitlocker compliance where all computers with “Hardware” encryption is used will also be marked as non compliant which can be useful after the recent security advisory for SSD’s with Hardware encryption:
https://redmondmag.com/articles/2018/11/06/microsoft-ssd-security-advisory.aspx?fbclid=IwAR21wX_6S32eyqdRXDeoNqdjb6DZw8UPNXT_d2FQ8pdH52Jop9lvx7g6Tko  

And the Security advisory from Microsoft on the topic.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028

This started with a discussion with Mattias Borg,@MattiasBorg82 – http://Sec-labs.com and input from Robert Israelsson and the rest in System center user group Sweden – SCUG.SE awesome!

But only checking for Hardware encryption would not be any fun so we check that Encryption is enabled as well, so all machines without Bitlocker enabled will also be flagged as “Non-compliant” which is great as they also need attention. So we get double benefit of the compliance check. If you would want to check for just “Hardware” encryption the values that are returned by Powershell is:

None
Aes128Diffuser
Aes256Diffuser
Aes128
Aes256
Hardware
XtsAes128
XtsAes256
Unknown

You can also remove any encryption-methods that you shouldn’t be using from the list below so they are marked as non-compliant as well.

The PowerShell script:

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }


switch ($BitlockerVolume.encryptionmethod) {
Aes128 { $true }
Aes256 { $true }
Aes128Diffuser { $true }
Aes256Diffuser { $true }
XtsAes128 { $true }
XtsAes256 { $true }
Default { $false }
}

We put that in a Configuration Item with the settings type “Script” and Data Type “Boolean” as shown below.

With the following Compliance rule:

If we only want to catch all drives with Hardware encryption the Powershell script can be edited to only check for that. (haven’t tested it, I don’t have disk with HW encryption.)

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Hardware { $false }
Default { $True }
}

The .Cab file with the basline and CI can be downloaded from Github https://github.com/SweJorgen/SCCM-Configuration-Items
I hope this is useful

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.