Skip to main content

Bitlocker Compliance using SCCM including Hardware encryption check

A quick post on how to check Bitlocker compliance where all computers with Hardware encryption is used will also be marked as non compliant which can be useful after the recent security advisory for SSDs with Hardware encryption: https://redmondmag.com/articles/2018/11/06/microsoft-ssd-security-advisory.aspx?fbclid=IwAR21wX_6S32eyqdRXDeoNqdjb6DZw8UPNXT_d2FQ8pdH52Jop9lvx7g6Tko  

And the Security advisory from Microsoft on the topic.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028

This started with a discussion with Mattias Borg,@MattiasBorg82 http://Sec-labs.com and input from Robert Israelsson and the rest in System center user group Sweden SCUG.SE awesome!

But only checking for Hardware encryption would not be any fun so we check that Encryption is enabled as well, so all machines without Bitlocker enabled will also be flagged as Non-compliant which is great as they also need attention. So we get double benefit of the compliance check. If you would want to check for just Hardware encryption the values that are returned by Powershell is:

None Aes128Diffuser Aes256Diffuser Aes128 Aes256 Hardware XtsAes128 XtsAes256 Unknown

You can also remove any encryption-methods that you shouldnt be using from the list below so they are marked as non-compliant as well.

The PowerShell script: $BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" } switch ($BitlockerVolume.encryptionmethod) { Aes128 { $true } Aes256 { $true } Aes128Diffuser { $true } Aes256Diffuser { $true } XtsAes128 { $true } XtsAes256 { $true } Default { $false } } We put that in a Configuration Item with the settings type Script and Data Type Boolean as shown below.

With the following Compliance rule:

If we only want to catch all drives with Hardware encryption the Powershell script can be edited to only check for that. (havent tested it, I dont have disk with HW encryption.)

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" } switch ($BitlockerVolume.encryptionmethod) { Hardware { $false } Default { $True } } The .Cab file with the basline and CI can be downloaded from Github https://github.com/SweJorgen/SCCM-Configuration-Items I hope this is useful

Läs hela artikeln