[RESOLVED] BitLocker IT infrastructure encryption

[PaulSLA]

Hello,

We would like to implement BitLocker in our company. We found the BitLocker Enable and Audit packages for this purpose.

After several attempts, we managed to get BitLocker Enable working on one workstation, but not on the next three, even though they have the same installation. For BitLocker Audit, we are unable to retrieve the keys in Active Directory or WAPT. We understand that a certificate list is required; could you provide more details?

Where can we find more in-depth documentation on encryption and saving BitLocker keys via WAPT?

Sincerely,
Paul

[jorico]

Hello Paul,

I use the tis-audit-bitlocker package, to display the keys in the WAPT console you need to edit the package and add the names of the certificates of the users authorized to read the audit data.

[PaulSLA]

Thank you for your reply.

I'm not sure I understand what you mean by "user certificate names." Isn't that managed directly through the WAPT console? A bit like LAPS password encryption in WAPT?

Regards,

[jorico]

Hello Paul,

these are the certificates (linked to your WAPT administrators) that allow you to sign WAPT packages.

[dcardon]

Hello

@PaulSLA, regarding the LAPS by WAPT part, it uses the certificates defined in the agent, so there's no need to add any. However, the BitLocker package was written to explicitly request certificates. It's true that we could also reuse the certificates already deployed.

Regards,

Denis

[PaulSLA]

Good morning,

If I understand your explanations and the package code correctly, I simply need to enter the name of the certificate that can see the audit results:

If my certificate is wapt-crt.crt in C:\wapt\ssl, I must do the following:

Code: Select all

target_encryption_method = 7
allow_swap_encryption_method = False  # Not implemented yet
decrypt_cert_list = wapt-crt


def install():
    # Adding certificates allowed to decrypt in WAPT
    for cert in decrypt_cert_list:
        cert_path = makepath(WAPT.wapt_base_dir, "ssl", cert)
        if not isfile(cert_path):
            print("Copying: %s" % cert_path)
            filecopyto(cert, cert_path)

And will the script automatically retrieve the certificate for it to function? If I have multiple certificates, should I use commas? Semicolons?

For the BitLocker enable part, I'm getting an error regarding BitLocker Key Protector. Do I need to force the installation of the package on all affected machines, which will remove the BitLocker Key Protector, and then perform a standard installation? Should that work?

Isn't there a way to do this automatically?

Sincerely,

[PaulSLA]

Good morning,

After several attempts on my end, I now get an error during package installation:
Here are the logs:

Code: Select all

"
Traceback (most recent call last):
  File "C:\Program Files (x86)\wapt\common.py", line 4010, in install_wapt
    setup = import_setup(setup_filename)
  File "C:\Program Files (x86)\wapt\waptutils.py", line 1525, in import_setup
    py_mod = imp.load_source(modulename, setupfilename)
  File "imp.py", line 171, in load_source
  File "<frozen importlib._bootstrap>", line 702, in _load
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 843, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "C:\WINDOWS\TEMP\wapt_3l1xqgx\setup.py", line 73, in <module>
NameError: name 'wapt' is not defined

NameError: name 'wapt' is not defined
"

I simply added the certificate name after "decrypt_cert_list" in the form decrypt_cert_list = certificate_name

Does anyone have any idea what the error might be, unless the package is no longer supported?

Thanks in advance,
Sincerely,
Paul

[dcardon]

Hi Paul,
in Python, the hyphen "-" is interpreted as the subtraction operator. So `wapt-crt` is parsed as `wapt - crt` (the variable `wapt` minus the variable `crt`), hence the message that the variable `wapt` doesn't exist.
There must be some missing quotation marks somewhere,
Denis.

[PaulSLA]

Good morning,

Thank you, that was it, I found it yesterday. I added quotation marks around the certificate and everything is OK with the audit.

Now we have the BitLocker activation part left. We tried using the package from the store, but it's impossible to get it to work. It's always the same thing:

First installation:

Code: Select all

OK: This computer BIOS boot in UEFI mode
OK: TPM chip found on this system
OK: TPM chip ready
Encrypting: C: drive with BitLocker encryption method: XtsAes256
Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector
Traceback (most recent call last):
  File "C:\Program Files (x86)\wapt\common.py", line 4083, in install_wapt
    exitstatus = setup.install()
  File "C:\WINDOWS\TEMP\waptzpc2fp1z\setup.py", line 118, in install
  File "C:\Program Files (x86)\wapt\waptutils.py", line 1892, in error
    raise EWaptSetupException('Fatal error : %s' % reason)
waptutils.EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.

EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.

So I installed it using the force option, and the result was:

Code: Select all

OK: This computer BIOS boot in UEFI mode
OK: TPM chip found on this system
OK: TPM chip ready
Encrypting: C: drive with BitLocker encryption method: XtsAes256
Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector
Remove-BitlockerKeyProtector -MountPoint C: -KeyProtectorId "{92D79314-13A0-475E-B8FC-4195EAEDF1E0}"
Traceback (most recent call last):
  File "C:\Program Files (x86)\wapt\common.py", line 4083, in install_wapt
    exitstatus = setup.install()
  File "C:\WINDOWS\TEMP\wapt_03ore3e\setup.py", line 116, in install
  File "C:\Program Files (x86)\wapt\waptutils.py", line 1892, in error
    raise EWaptSetupException('Fatal error : %s' % reason)
waptutils.EWaptSetupException: Fatal error : BitlockerKeyProtector have been removed on C: please reinstall this package.

EWaptSetupException: Fatal error : BitlockerKeyProtector have been removed on C: please reinstall this package.

That seems fine. So I reinstalled it a second time without the force option, and the result was:

Code: Select all

OK: This computer BIOS boot in UEFI mode
OK: TPM chip found on this system
OK: TPM chip ready
Encrypting: C: drive with BitLocker encryption method: XtsAes256
Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector
Traceback (most recent call last):
  File "C:\Program Files (x86)\wapt\common.py", line 4083, in install_wapt
    exitstatus = setup.install()
  File "C:\WINDOWS\TEMP\waptraxa1eek\setup.py", line 118, in install
  File "C:\Program Files (x86)\wapt\waptutils.py", line 1892, in error
    raise EWaptSetupException('Fatal error : %s' % reason)
waptutils.EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.

EWaptSetupException: Fatal error : ERROR: The above PowerShell command appears to be unsuccessful.
You can force install this package to remove BitlockerKeyProtector.

And the problem keeps looping; we haven't touched that package. Creating our own package using a PowerShell script works, but each time we update the package, it re-encrypts all the PCs and creates a new recovery key. This quickly becomes a mess.

Any ideas? Unless I've missed a configuration step, like with the audit package?

Sincerely,
Paul

[jpele]

Good morning,
Could you please type the indicated PowerShell command on an affected machine?

Code: Select all

Enable-Bitlocker -MountPoint C: -EncryptionMethod XtsAes256 -SkipHardwareTest -TpmProtector

You should know more about the sticking point.
There's a good chance it's a GPO that's blocking it.

Sincerely,
Jimmy