-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathEnableBitLocker.vbs
More file actions
1192 lines (1066 loc) · 50.9 KB
/
EnableBitLocker.vbs
File metadata and controls
1192 lines (1066 loc) · 50.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
'===============================================================================
'
' This sample script can be used to automate the deployment of BitLocker using the BitLocker WMI interfaces.
'
' Last Updated: 7/1/2006
' Microsoft Corporation
' updated by Niall Brady (c) www.windows-noob.com to work with Multi-Language 16/10/2012
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose.
' The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
'
'Version 1.2 - Updates
'1 - Removed infinate loop potential in the FindRemoveableDrive function. Three attempts are valid.
'2 - Added saving RK to the /USB option.
'3 - Will not look at local evet log if no policy key present.
'4 - Minor loging and text changes.
'5 - Fixed PIN input cancel button use.
'
'
'===============================================================================================================
'Script arguments
'/on:<tpm,tp,tsk,usb> used to specify options for turning on BitLocker (tpm,tp,tsk) REQUIRED
'/l:<location> specify to create a log file and it's location REQUIRED
'/em:<128d,256d,128,256> used to specify encryption algorithm (aes128d, aes256d, aes128, aes256) OPTIONAL
'/rk create a recovery key and store in a particular location OPTIONAL
'/promptuser causes script to prompt user for TPM PIN or to insert USB drive OPTIONAL
'/sms creates an SMS status MIF for software distribution OPTIONAL
'/ro:"<existingTPMownerpassword>" changes the TPM ownership password (password must be placed between "") OPTIONAL
'----------------------------------------------------------------------------------------
'Constants And Variables
'----------------------------------------------------------------------------------------
On Error Resume Next
Const ForAppending = 8
Const SetPres = 10
const HKEY_LOCAL_MACHINE = &H80000002
const REG_SZ = 1
const REG_EXPAND_SZ = 2
const REG_BINARY = 3
const REG_DWORD = 4
const REG_MULTI_SZ = 7
Dim bIsEnabled,bIsActivated,bIsOwned,bIsOwnershipAllowed,objTPM,objLog,TakeOwnership,Enable,objEnVol,strStatusTPM,strStatusBDE,strStatusTPMState
Dim objGPPT,strOwnerPassword,strPassword,objWMIBDE,nProtStatus,ProtectVar,objOSSysDriv,objSWbemServices,objOS,coloperatingsystem,sProtID,strOldOwnerPassword
Dim argProtect,argRK,argEM,argSMS,argLOG,argRO,argPrompt,strCurrentUser,argValid,i,strPIN,objRemovableDrive,strStatusCode,strStatusData,MIF,strEKP,strEK
Dim ActiveDirectoryBackup,ActiveDirectoryInfoToStore,RequireActiveDirectoryBackup,EncryptionMethod,BackupMandatory,strStartDate,strStartTime,strRetry,strPolicy
'----------------------------------------------------------------------------------------
'General 1 - Get ready to run, create objects, create log file, parse command line arguments
'----------------------------------------------------------------------------------------
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WSHShell = WScript.CreateObject("WScript.Shell")
'Parse command line arguments
Set args = WScript.Arguments
Argument1 = args.Item(0)
Argument2 = args.Item(1)
NumberofArgs = WScript.Arguments.Count
Set colNamedArgs = WScript.Arguments.Named
'Get all command line arguments and set them to lower Case
argProtect = LCase(colNamedArgs.Item("on"))
argRK = LCase(colNamedArgs.Item("rk"))
argEM = LCase(colNamedArgs.Item("em"))
argLOG = LCase(colNamedArgs.Item("l"))
argPrompt = LCase(colNamedArgs.Item("promptuser"))
argSMS = LCase(colNamedArgs.Item("sms"))
strOldOwnerPassword = LCase(colNamedArgs.Item("ro"))
'Evaluate named optional arguments
If colNamedArgs.Exists("rk") Then
argRK = "1"
Else
argRK = "No recovery key use specified"
End If
If colNamedArgs.Exists("sms") Then
argSMS = "1"
Else
argSMS = "No SMS status MIF's will be created"
End If
If colNamedArgs.Exists("ro") Then
argRO = "1"
Else
argRO = "TPM ownership information will not be cleared"
End If
If colNamedArgs.Exists("promptuser") Then
argPrompt = "1"
Else
argPrompt = "Users will not be prompted for PIN or to insert USB key"
End If
'Evaluate emcyption method if on command line
If Not colNamedArgs.Exists("em") Then
argEM = "1"
Else If argEM = "" Then
argEM = "1"
Else If argEM = "128d" Then
argEM = "1"
Else If argEM = "256d" Then
argEM = "2"
Else If argEM = "128" Then
argEM = "3"
Else If argEM = "256" Then
argEM = "4"
End If
End If
End If
End If
End If
End If
'Create log file
Set objLog = objFSO.OpenTextFile(argLOG,ForAppending,True)
objlog.writeline "Script processing started " & Date & " " & Time
strStartDate = Date
strStartTime = Time
'Set the SMS default status exit code
strStatusCode = 1
'Check arguments for requiered options
If Not colNamedArgs.Exists("on") Then
strStatusData = "No /on option was specified on the command line."
objLog.Writeline strStatusData
Wscript.Echo strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
ShowHelp
Else If Not colNamedArgs.Exists("l") Then
strStatusData = "No /l option specified on the command line."
objLog.Writeline strStatusData
Wscript.Echo strStatusData
strStatusCode = 1
CreateStatusMIF strStatusData
ShowHelp
Else If NumberofArgs < 2 Then
strStatusData = "The required number of arguments of 2 was not met."
objLog.Writeline strStatusData
Wscript.Echo strStatusData
strStatusCode = 1
CreateStatusMIF strStatusData
ShowHelp
Else If ((argProtect = "tp") Or (argProtect = "tsk")) And argPrompt <> "1" Then
strStatusData = "Using the options /on:tp or /on:tsk and not using /promptuser is not allowed."
objLog.Writeline strStatusData
Wscript.Echo strStatusData
strStatusCode = 1
CreateStatusMIF strStatusData
ShowHelp
Else If argProtect = "usb" And argPrompt <> "1" Then
strStatusData = "Using the options /on:usb and not using /promptuser is not allowed."
objLog.Writeline strStatusData
Wscript.Echo strStatusData
strStatusCode = 1
CreateStatusMIF strStatusData
ShowHelp
Else If argRK = "1" And argPrompt <> "1" Then
objLog.Writeline "Using the option /rk and not using /promptuser is not allowed."
Wscript.Echo "Using the option /rk and not using /promptuser is not allowed."
ShowHelp
Else
If argProtect = "tp" Or argProtect = "tpm" Or argProtect = "tsk" Or argProtect = "usb" Then
objLog.Writeline "Proper number of command line arguments passed to the script"
Else
objLog.Writeline "The /on option does not match one of the required options."
Wscript.Echo "The /on option does not match one of the required options."
ShowHelp
End If
End If
End If
End If
End If
End If
End If
'Output command arguments to log file
objLog.Writeline "-----------------------------------------------------------------------"
objLog.Writeline "---------------Executing with the following arguments------------------"
objLog.Writeline "-----------------------------------------------------------------------"
objLog.Writeline "Enable parameters: " & argProtect
objLog.Writeline "Logging location: " & argLOG
objLog.Writeline "Create recovery key: " & argRK
objLog.Writeline "Encryption method: " & argEM
objLog.Writeline "Create SMS status MIF's: " & argSMS
objLog.Writeline "Reset TPM ownership: " & argRO
objLog.Writeline "User prompting: " & argPrompt
objLog.Writeline "-----------------------------------------------------------------------"
'----------------------------------------------------------------------------------------
'General 2 - Main script processing area
'----------------------------------------------------------------------------------------
ConnectTPMProv() 'Connect to the TPM WMI provider
If argProtect = "usb" Then
ConnectBDEProv() 'Connect to the volume encryption WMI provider
EvalGPO()
GetBDEStatus()
Else
GetTPMStatus() 'Get the current status of the TPM to determine action
ConnectBDEProv() 'Connect to the volume encryption WMI provider
'The following If statements cause the script to react differently depending on the TPM state
If bIsEnabled and bIsActivated and bIsOwned Then
objlog.writeline "TPM is in a ready state to enable BitLocker."
If argRO = "1" Then
objlog.writeline "Change TPM owner password specified on the command line."
DenTPMPassword
ChangeOwnerAuth strOldOwnerPassword,strOwnerPassword
EvalGPO()
GetBDEStatus()
Else
EvalGPO()
GetBDEStatus()
End If
Else If bIsEnabled and bIsActivated and not bIsOwned Then
objlog.writeline "TPM ownership is not taken...will take ownership."
DenTPMPassword
OwnTPM
EvalGPO()
GetBDEStatus()
Else If not bIsEnabled And not bIsActivated and not bIsOwned Then
objlog.writeline "TPM is not turned on...will Enable and Activate TPM and force a reboot."
EnableActivateTPM()
Else If Not bIsEnabled and Not bIsActivated and bIsOwned Then
objlog.writeline "TPM is not turned on...will Enable and Activate TPM and force a reboot."
EnableActivateTPM()
Else If bIsEnabled and Not bIsActivated and Not bIsOwned Then
objlog.writeline "TPM is turned on but not activated...will Activate TPM and force a reboot."
EnableActivateTPM()
End If
End If
End If
End If
End If
End If
If strStatusCode = 1 then
strStatusData = strStatusTPMState & ". " & strStatusTPM & " " & "The volume has a protection status of: " & nProtStatus & ". " & strStatusBDE & ". " & "Script Completed Successfully"
objLog.writeline strstatusdata
CreateStatusMIF strStatusData
End if
objlog.writeline "Script ended " & Date & " " & Time
'----------------------------------------------------------------------------------------
'Functions and subs
'----------------------------------------------------------------------------------------
'Function 1 - Connect to TPM WMI provider
'----------------------------------------------------------------------------------------
Function ConnectTPMProv()
strConnectionStr1 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftTpm"
err.clear
Set objWMITPM = GetObject(strConnectionStr1)
If Err.Number <> 0 Then
strStatusData = "ERROR - Failed to connect to the MicrosoftTPM provider. Script is exiting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Wscript.Quit -1
Else
objLog.Writeline "Connection succeeded to MicrosoftTPM"
End If
err.clear
' There should either be 0 or 1 instance of the TPM provider class
Set colTpm = objWMITPM.InstancesOf("Win32_Tpm")
If colTpm.Count = 1 And argProtect = "usb" Then
strStatusData = "Successfully retieved a TPM from the provider class. USB only protection was chosen and cannot be used when a TPM is present. Script is exiting...(Error: " & Err.Number & ")"
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
WScript.Quit -1
Else If colTpm.Count = 0 And argProtect = "usb" Then
objLog.Writeline "Protect option is set for USB only. Will continue with USB only protection..."
Exit Function
Else If colTpm.Count = 0 And argProtect <> "usb" Then
strStatusData = "ERROR - Failed get a TPM instance in the provider class. Script is exiting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
WScript.Quit -1
End If
End If
End If
Err.Clear
'Get a single instance of the TPM provider class
Set objTpm = objWMITPM.Get("Win32_Tpm=@")
If Err.Number <> 0 Then
strStatusData = "ERROR - Failed get a TPM instance in the provider class. Script is exiting...(Error: " & Err.Number & ")"
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
WScript.Quit -1
Else
objLog.Writeline "Successfully retrieved a TPM instance from the Win32_TPM provider class"
End If
Err.Clear
End Function
'----------------------------------------------------------------------------------------
'Function 2 - Connect to BDE WMI provider
'----------------------------------------------------------------------------------------
Function ConnectBDEProv()
strConnectionStr2 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption"
err.clear
Set objWMIBDE = GetObject(strConnectionStr2)
If Err.Number <> 0 Then
strStatusData = "ERROR - Failed to connect to the MicrosoftVolumeEncryption provider. Script is exiting...(Error " & Err.Number & ")"
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
WScript.Quit -1
Else
objLog.Writeline "Connection succeeded to MicrosoftVolumeEncryption"
End If
err.clear
End Function
'-----------------------------------------------------------------------------------------
'Function 3 - Get BDE status data and enable encryption
'-----------------------------------------------------------------------------------------
Function GetBDEStatus()
Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume")
objlog.writeline "EncryptableVolumes count is: " & colEnVol.count
If colEnVol.count < 1 then
strStatusData = "ERROR - EncryptableVolumes is null and count is: " & colEnVol.count & " Script is quitting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
WScript.Quit -1
Else
strConnectionStr3 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2"
Set objSWbemServices = GetObject(strConnectionStr3)
Set coloperatingsystem = objSWbemServices.ExecQuery("Select * from Win32_OperatingSystem")
For each objOperatingSystem in colOperatingSystem
strWin32SysDrive = objOperatingSystem.SystemDrive
Next
For Each objEnVol in colEnVol
objlog.writeline "The EncryptableVolume(s) found: " & objEnVol.DeviceID
strEncDriveLetter = objEnVol.DriveLetter
If strEncDriveLetter = strWin32SysDrive then
objlog.writeline "EncryptableVolume used for encryption is: " & strEncDriveLetter
intRC = objEnVol.GetProtectionStatus(nProtStatus)
objlog.writeline "The volume has a protection status of: " & nProtStatus
If nProtStatus = 1 then
strStatusData = "BitLocker Protection is already enabled. Check log file for more details. Process is quitting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Wscript.quit -1
Else
If nProtStatus = 0 then
objlog.writeline "BitLocker Protection is Off"
nRC = objEnVol.GetConversionStatus(strCS)
objlog.writeline "Get conversion status is: " & strCS
If strCS = 0 Then
err.Clear
objlog.writeline "The volume has a status of fully decrypted"
If argProtect = "tpm" Then
intRC = objEnVol.ProtectKeyWithTPM("TPM Protection",Empty,sProtID)
objLog.Writeline "Attempting to enable BitLocker TPM"
If intRC <> 0 Then
CheckError intRC
strStatusData = "ERROR - the ProtectKeyWithTPM Method failed with the exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
strStatusData = "Successfully initiated ProtectKeyWithTPM Method with an exit code of: " & Hex(intRC)
objlog.writeline strStatusData
strStatusBDE = strStatusData
CheckUser
CreateRP objEnVol
EnableBitlocker objEnVol
CreateRK sProtID
End If
err.clear
Else
If argProtect = "tp" Then
CheckUser
GetPIN
If argPrompt = "1" and strCurrentUser = "1" and argValid = "1" Then
intRC = objEnVol.ProtectKeyWithTPMAndPIN("TPM and PIN Protection",Empty,strPIN,sProtID)
objLog.Writeline "Attempting to enable BitLocker TPM + Pin"
If intRC <> 0 Then
CheckError intRC
strStatusData = "ERROR - the ProtectKeyWithTPMAndPIN Method failed with the exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
strStatusData = "Successfully initiated ProtectKeyWithTPMAndPIN Method with an exit code of: " & Hex(intRC)
objlog.writeline strStatusData
strStatusBDE = strStatusData
CreateRP objEnVol
EnableBitlocker objEnVol
CreateRK sProtID
End If
err.clear
Else
strStatusData = "ERROR - TPM and PIN Protection failed. One of the following conditions was not met: Command line switch /promptuser not used, No logged on User, or PIN was not of a valid format"
objlog.writeline strStatusData
strStatusBDE = strStatusData
Exit Function
End If
Else
If argProtect = "tsk" Then
CheckUser
If argPrompt = "1" Then
FindRemovableDrive()
Else
objLog.WriteLine "TPM and StarupKey option is chosen and user prompting for USB device is disabled. Script is exiting..."
FindRemovableDrive()
Exit Function
End If
intRC = objEnVol.ProtectKeyWithTPMAndStartupKey("TPM and Startup Key Protection",Empty,Empty,sProtID)
objLog.Writeline "Attempting to enable BitLocker TPM + StartupKey"
If intRC <> 0 Then
CheckError intRC
strStatusData = "ERROR - the ProtectKeyWithTPMAndStartupKey Method failed with the exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
objlog.writeline "Successfully initiated ProtectKeyWithTPMAndStartupKey Method with an exit code of: " & Hex(intRC)
objLog.Writeline "Attempting to save startup key..."
intRC = objEnVol.SaveExternalKeyToFile(sProtID,objRemovableDrive)
If intRC <> 0 Then
strStatusData = "ERROR - Failed to save the startup key to a USB drive with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
strStatusData = "Successfully completed ProtectKeyWithTPMAndStartupKey Method and saved the startup key to USB drive with an exit code of: " & Hex(intRC)
objlog.writeline strStatusData
strStatusBDE = strStatusData
CreateRP objEnVol
EnableBitlocker objEnVol
CreateRK sProtID
End If
err.clear
End If
err.clear
Else
If argProtect = "usb" then
CheckUser
FindRemovableDrive()
intRC = objEnVol.ProtectKeyWithExternalKey("USB Key Protection",Empty,sProtID)
objLog.Writeline "Attempting to enable BitLocker with External Key only"
If intRC <> 0 Then
CheckError intRC
strStatusData = "ERROR - the ProtectKeyWithExternalKey Method failed with the exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
objlog.writeline "Successfully initiated ProtectKeyWithExternalKey Method with an exit code of: " & Hex(intRC)
objLog.Writeline "Attempting to save USB key..."
intRC = objEnVol.SaveExternalKeyToFile(sProtID,objRemovableDrive)
If intRC <> 0 Then
strStatusData = "ERROR - Failed to save the startup key to a USB drive with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
strStatusData = "Successfully completed ProtectKeyWithExternalKey Method and saved the startup key to USB drive with an exit code of: " & Hex(intRC)
objlog.writeline strStatusData
strStatusBDE = strStatusData
CreateRP objEnVol
EnableBitlocker objEnVol
CreateRK sProtID
End If
err.clear
End If
End If
End If
End If
End If
End if
End if
End if
End if
Next
If strCS = "" Then
strStatusData = "ERROR - The available encyptable volumes must match the operating system volume and this did not occur. Operating system drive found - " & strWin32SysDrive
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
GetConversionStatus strCS
End If
End If
End Function
'-----------------------------------------------------------------------------------------
'Function 4 - Get TPM status data to determine if TPM is enabled, activated, and owned
'-----------------------------------------------------------------------------------------
Function GetTPMStatus()
nRC = objTpm.IsEnabled(bIsEnabled)
If nRC <> 0 Then
strStatusData = "ERROR - The method IsEnabled failed with return code 0x" & Hex(nRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
End If
nRC = objTpm.IsActivated(bIsActivated)
If nRC <> 0 Then
strStatusData = "ERROR - The method IsActivated failed with return code 0x" & Hex(nRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
End If
nRC = objTpm.IsOwned(bIsOwned)
If nRC <> 0 Then
strStatusData = "ERROR - The method IsOwned failed with return code 0x" & Hex(nRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
End If
'Output TPM status information to the log file
objLog.WriteLine "TPM found in the following state:"
objLog.WriteLine "Enabled - " & bIsEnabled
objLog.WriteLine "Activated - " & bIsActivated
objLog.WriteLine "Owned - " & bIsOwned
strStatusTPMState = "TPM found in the following state: Enabled - " & bIsEnabled & ", Activated - " & bIsActivated & ", Owned - " & bIsOwned
End Function
'-----------------------------------------------------------------------------------------
'Function 5 - Enable and Activate TPM
'-----------------------------------------------------------------------------------------
Function EnableActivateTPM
Err.clear
'Enable and activate TPM device
intRC = objTPM.SetPhysicalPresenceRequest(SetPres)
objLog.Writeline "Attempting to enable and activate the TPM"
If intRC <> 0 Then
strStatusData = "ERROR - failed to enable and activate the TPM with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
objlog.writeline "Completed enabling and activating the TPM with an exit code of: " & Hex(intRC)
End If
intRC = objTPM.GetPhysicalPresenceTransition(strPT)
objlog.writeline "Presence Transition = " & strPT
If intRC <> 0 Then
strStatusData = "ERROR - failed to get PhysicalPresenceTransition with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
objlog.writeline "Completed PhysicalPresenceTransition with an exit code of: " & Hex(intRC)
End If
If strPT = 0 then
objlog.writeline "The platform does not need to transition"
Else
If strPT = 1 then
strStatusData = "Shutting down system to finish enabling the TPM"
objlog.writeline strStatusData
strStatusTPM = strStatusData
oReboot = WSHShell.Run("shutdown.exe /s /t 5",2,True)
'***** Add status code???
Else
If strPT = 2 then
objlog.writeline "Rebooting system to finish enabling the TPM"
oReboot = WSHShell.Run("shutdown.exe /r /t 5",2,True)
'***** Add status code???
Else
If strPT = 3 Then
strStatusData = "The TPM transition is vendor-specific cannot continue. Contact your vendor for instructions. Script is quitting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
WScript.Quit -1
End if
End if
End if
End if
End Function
'-----------------------------------------------------------------------------------------
'Function 6 - Create a recovery key if specified on command line
'-----------------------------------------------------------------------------------------
Function CreateRK(sProtID)
If argRK = "1" Then
FindRemovableDrive()
intRC = objEnVol.ProtectKeyWithExternalKey("Recovery Protection",Empty,sProtID)
objLog.Writeline "Attempting to create BitLocker Recovery Key."
If intRC <> 0 Then
objlog.writeline "ERROR - Failed generating Recovery Key with the exit code: " & Hex(intRC)
Else
objlog.writeline "Successfully generated Recovery key with an exit code of: " & Hex(intRC)
objLog.Writeline "Attempting to save Recovery Key to USB..."
intRC = objEnVol.SaveExternalKeyToFile(sProtID,objRemovableDrive)
If intRC <> 0 Then
objlog.writeline "ERROR - Failed to save the recovery key to a USB drive with the following exit code: " & Hex(intRC)
Else
objlog.writeline "Successfully saved the recovery key to USB drive with an exit code of: " & Hex(intRC)
End If
err.clear
End If
End If
End Function
'-----------------------------------------------------------------------------------------
'Function 7 - Changing TPM owner information
'-----------------------------------------------------------------------------------------
Function ChangeOwnerAuth(strOldOwnerPassword,strOwnerPassword)
err.clear
' Convert the owner password to owner authorization by using SHA-1 hashing
intRC = objTpm.ConvertToOwnerAuth(strOldOwnerPassword, OldOwnerAuthDigest)
If intRC <> 0 Then
objlog.writeline "ERROR - Failed to converting old owner password to owner authorization: " & Hex(intRC)
Else
objlog.writeline "Completed converting old owner password to owner authorization: " & Hex(intRC)
End If
err.clear
intRC = objTpm.ConvertToOwnerAuth(strOwnerPassword, OwnerAuthDigest)
If intRC <> 0 Then
objlog.writeline "ERROR - Failed to converting owner password to owner authorization: " & Hex(intRC)
Else
objlog.writeline "Completed converting owner password to owner authorization: " & Hex(intRC)
End If
err.clear
' Change owner authorization on the TPM
intRC = objTpm.ChangeOwnerAuth(OldOwnerAuthDigest,OwnerAuthDigest)
objlog.writeline "Starting to change owner authorization process on the TPM"
If intRC <> 0 Then
objlog.writeline "ERROR - Failed to change owner authorization on the TPM with the following exit code: " & Hex(intRC)
Else
objlog.writeline "Completed change owner authorization process on the TPM with the following exit code: " & Hex(intRC)
End If
err.clear
'Wait for TPM to finish ownership process
Wscript.Sleep(10000)
End Function
'-----------------------------------------------------------------------------------------
'Function 8 - Generate random string for TPM owner password. This password will range
'from 7-14 characters and will contain numbers and letters.
'-----------------------------------------------------------------------------------------
Function DenTPMPassword
'Upper and lower limits for TPM owner password
intUpperLimit = 14
intLowerLimit = 7
Randomize
intCharacters = Int(((intUpperLimit - intLowerLimit + 1) * Rnd) + intUpperLimit)
intUpperLimit = 126
intLowerLimit = 33
For i = 1 to intCharacters
Randomize
intASCIIValue = Int(((intUpperLimit - intLowerLimit + 1) * Rnd) + intLowerLimit)
strPassword = strPassword & Chr(intASCIIValue)
Next
strOwnerPassword = strPassword
objLog.WriteLine "Random TPM owner password is: " & strOwnerPassword
End Function
'-----------------------------------------------------------------------------------------
' Function 9 - Check for endoresement key and take ownership of TPM
'-----------------------------------------------------------------------------------------
Function OwnTPM
err.clear
'Check for the presence of Endorsement Key Pair and create one if not found
intRC = objTpm.IsEndorsementKeyPairPresent(strEK)
If intRC <> 0 Then
strStatusData = "ERROR - Failed to determine if Endorsement Key Pair is present with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
objlog.writeline "Successfully determined if Endorsement Key Pair is present with an exit code of: " & Hex(intRC)
objlog.writeline "IsEndorsementKeyPairPresent returned a value of: " & strEK
End If
err.clear
If strEK = "True" then
objlog.writeline "Endorsement Key Pair is present."
Else
objlog.writeline "Attempting to create Endorsement Key Pair"
intRC = objTpm.CreateEndorsementKeyPair(strEKP)
If intRC <> 0 Then
strStatusData = "ERROR - Failed to create Endorsement Key Pair with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Wscript.quit -1
Else
objlog.writeline "Successfully created Endorsement Key Pair with an exit code of: " & Hex(intRC)
End If
End if
err.clear
' Convert the owner password to owner authorization by using SHA-1 hashing
intRC = objTpm.ConvertToOwnerAuth(strOwnerPassword, OwnerAuthDigest)
If intRC <> 0 Then
strStatusData = "ERROR - Failed to hash TPM owner password with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Wscript.quit -1
Else
objlog.writeline "Successfully hashed TPM owner password with an exit code of: " & Hex(intRC)
End If
' Take ownership of the TPM - two string values to be hashed using SHA-1
intRC = objTpm.TakeOwnership(OwnerAuthDigest)
objlog.writeline "Starting to take ownership of the TPM"
If intRC <> 0 Then
strStatusData = "ERROR - Failed to take ownership of the TPM with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
objlog.writeline "Completed taking ownership of the TPM with an exit code of: " & Hex(intRC)
End If
err.clear
'Wait for TPM to finish ownership process
Wscript.Sleep(10000)
End Function
'-----------------------------------------------------------------------------------------
'Function 10 - Enable Bitlocker
'-----------------------------------------------------------------------------------------
Function EnableBitlocker(objEnVol)
Err.clear
intRC = objEnVol.Encrypt(argEM)
objLog.Writeline "Attempting to enable BitLocker..."
If intRC <> 0 Then
strStatusData = "ERROR - failed to initiate drive encryption with the following exit code: " & Hex(intRC)
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
objLog.Writeline "Deleting previously created key protectors..."
intRC = objEnVol.DeleteKeyProtectors()
If intRC <> 0 Then
strStatusData = "ERROR - failed to remove key protectors with the following exit code: " & Hex(intRC) & " Script is quitting..."
objLog.Writeline strStatusData
Else
objlog.writeline "Successfully removed key protectors with the following exit code: " & Hex(intRC) & " Script is quitting..."
End If
Else
objlog.writeline "Successfully initiated BitLocker drive encryption with an exit code of: " & Hex(intRC)
End If
err.clear
End Function
'--------------------------------------------------------------
'Function 11 - Find the removeable drive in WMI
'--------------------------------------------------------------
Function FindRemovableDrive()
strRetry = strRetry + 1
If strRetry > 3 Then
strStatusData = "ERROR - User did not input a valid USB device within the 3 attempts allowed. Script is quitting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Wscript.Quit -1
End If
Err.Clear
Set colDrives = objSWbemServices.ExecQuery("Select * from Win32_Volume where DriveType = '2'")
If Err.Number = 0 Then
objLog.Writeline "Successfully completed the search for a USB drive with the following exit code: " & Err.Number
Else
strStatusData = "ERROR - the search for a USB drive failed with the following exit code: " & Err.Number
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
End If
err.clear
If argPrompt = "1" and strCurrentUser = "1" Then
If colDrives.count = 1 Then
For Each objDrive in colDrives
objRemovableDrive = objDrive.DriveLetter
objLog.WriteLine "Found USB drive in the system at the following drive letter: " & objDrive.DriveLetter
Next
Else If colDrives.count > 1 Then
strStatusData = "ERROR - More then one USB device was found in your system cannot determine where to save key. Script is quitting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Wscript.Quit -1
Else If colDrives.count = 0 Then
objLog.WriteLine "Warning - Did not find USB device to save your startup key. Waiting for user will retry....."
Wscript.Echo "No removeable USB device was found in your system. To complete the BitLocker configuration please insert a USB removeable drive to save your Startup or Recovery Key."
WScript.Sleep(10000)
FindRemovableDrive()
End If
End If
End If
Else
If colDrives.count = 1 Then
For Each objDrive in colDrives
objRemovableDrive = objDrive.DriveLetter
Next
Else
strStatusData = "ERROR - No USB device available to save key. Script is quitting..."
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
WScript.Quit -1
End If
End If
End Function
'----------------------------------------------------------------------------------------
'Function 12 - Function used to interogate Group Policy and determine successfully backup of recovery data
'----------------------------------------------------------------------------------------
Function EvalGPO
strComputer = "."
strPolicy = "0"
err.Clear
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
If Not Err.number=0 Then
strStatusData = "ERROR - Could not connect to WMI StdRegProv" & Err.Description
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
objLog.Writeline "Successfully connected to WMI StdRegProv"
End If
err.Clear
objLog.WriteLine "Checking if Group Policy encryption method is set..."
strKeyPath = "SOFTWARE\Policies\Microsoft\FVE"
objReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames, arrValueTypes
If IsEmpty(arrValueNames) = True or IsNull(arrValueNames) = True Then
strPolicy = "1"
strStatusData = "No FVE policy registry key found" & Err.Description
objLog.Writeline strStatusData
strStatusCode = 0
CreateStatusMIF strStatusData
Else
err.clear
For R=0 To UBound(arrValueNames)
If arrValueNames(R) = "EncryptionMethod" Then
objReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,arrValueNames(R),dwValue
EncryptionMethod = dwValue
objLog.Writeline "Found EncryptionMethod with value: " & dwValue
objLog.Writeline "Found EncryptionMethod policy registry key ignoring any /em options on command line"
argEM = "0"
End If
If arrValueNames(R) = "RequireActiveDirectoryBackup" Then
objReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,arrValueNames(R),dwValue
RequireActiveDirectoryBackup = dwValue
objLog.Writeline "Found RequireActiveDirectoryBackup with value: " & dwValue
End if
If arrValueNames(R) = "ActiveDirectoryBackup" Then
objReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,arrValueNames(R),dwValue
ActiveDirectoryBackup = dwvalue
objLog.Writeline "Found ActiveDirectoryBackup with value: " & dwValue
End if
Next
End If
'Process local policy to see what BDE settings are available
If ActiveDirectoryBackup = 1 and RequireActiveDirectoryBackup = 1 Then
objLog.WriteLine "Determined client Group Policy configured to require AD escrow of recovery password"
BackupMandatory = "1"
Else If ActiveDirectoryBackup = 1 and RequireActiveDirectoryBackup = 0 Then
objLog.WriteLine "Warning - Determined client Group Policy is configured to require AD escrow of recovery password but is not mandatory. If AD was not available when BitLocker was enabled recovery data may not be escrowed but BitLocker will be enabled."
BackupMandatory = "0"
End If
End If
End Function
'----------------------------------------------------------------------------------------
'Function 13 - Function used by the EvalGPO function to scan event logs for BitLocker recovery events
'----------------------------------------------------------------------------------------
Function getBDEEvents()
If strPolicy = "1" Then
Exit Function
End If
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\root\cimv2")
Set colBDEEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventCode = '514' or EventCode = '513'")
If colBDEEvents.Count >= 1 Then
For Each objBDEEvent in colBDEEvents
If objBDEEvent.EventCode = "514" Then
objLog.Writeline "---------------------------------------------------------------------------------"
strStatusCode = "WARNING - Found event log entry showing unsuccessful recovery information backup."
objLog.Writeline strStatusData
objLog.WriteLine "Event log ID: " & objBDEEvent.EventCode
objLog.WriteLine "Event log message: " & objBDEEvent.Message
objLog.Writeline "---------------------------------------------------------------------------------"
strStatusCode = 0
CreateStatusMIF strStatusData
ElseIf objBDEEvent.EventCode = "513" Then
objLog.Writeline "---------------------------------------------------------------------------------"
objLog.Writeline "Found event log entry showing successfull recovery information backup."
objLog.Writeline "Event log ID: " & objBDEEvent.EventCode
objLog.Writeline "Event log message: " & objBDEEvent.Message
objLog.Writeline "---------------------------------------------------------------------------------"
End If
Next
Else
objLog.WriteLine "Did not find a local event log entry for BitLocker AD backup."
End If
End Function
'----------------------------------------------------------------------------------------
'Function 14 - Used to create SMS status MIF's
'----------------------------------------------------------------------------------------
Function CreateStatusMIF(strStatusData)
err.clear
If argSMS = "1" then
Set MIF=CreateObject("ISMIFCOM.InstallStatusMIF")
Mif.Create "BitLocker","Microsoft","BitLocker.vbs","1.0","","",strStatusData,strStatusCode
If Err.number <> 0 Then
objLog.Writeline "Failed to create the SMS status MIF."
Else
objLog.WriteLine "Successfully created the SMS status MIF."
End If
End if
err.clear
End Function
'----------------------------------------------------------------------------------------
'Function 15 - Check for logged on User
'----------------------------------------------------------------------------------------
Function CheckUser
Set colComputer = objSWbemServices.ExecQuery("Select * from Win32_ComputerSystem")
For Each objComputer in colComputer
If not objComputer.UserName = "" Then
objlog.writeline "The following user is logged on: " & objComputer.UserName
strCurrentUser = "1"