diff --git a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 index 3975548..74a1d6b 100644 --- a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 +++ b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 @@ -12,7 +12,7 @@ function Get-TargetResource [System.Int32] $MinDiskCapacityGB, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -74,36 +74,8 @@ function Get-TargetResource CheckForPreReqs - #First get all Bitlocker Volumes of type Data - $allBlvs = Get-BitLockerVolume | where {$_.VolumeType -eq "Data"} - - #Filter on size if it was specified - if ($PSBoundParameters.ContainsKey("MinDiskCapacityGB")) - { - $allBlvs = $allBlvs | where {$_.CapacityGB -ge $MinDiskCapacityGB} - } - - #Now find disks of the appropriate drive type, and add them to the collection - if ($allBlvs -ne $null) - { - [Hashtable]$returnValue = @{} - - foreach ($blv in $allBlvs) - { - $vol = $null - $vol = Get-Volume -Path $blv.MountPoint -ErrorAction SilentlyContinue | where {$_.DriveType -like $DriveType} - - if ($vol -ne $null) - { - [Hashtable]$props = @{ - VolumeStatus = $blv.VolumeStatus - KeyProtectors = $blv.KeyProtector - EncryptionMethod = $blv.EncryptionMethod - } - - $returnValue.Add($blv.MountPoint, $props) - } - } + $returnValue = @{ + DriveType = $DriveType } $returnValue @@ -122,7 +94,7 @@ function Set-TargetResource [System.Int32] $MinDiskCapacityGB, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -184,7 +156,7 @@ function Set-TargetResource CheckForPreReqs - $autoBlVols = Get-TargetResource @PSBoundParameters + $autoBlVols = GetAutoBitlockerStatus @PSBoundParameters if ($autoBlVols -eq $null) { @@ -210,7 +182,6 @@ function Set-TargetResource } } - function Test-TargetResource { [CmdletBinding()] @@ -225,7 +196,7 @@ function Test-TargetResource [System.Int32] $MinDiskCapacityGB, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -287,7 +258,7 @@ function Test-TargetResource CheckForPreReqs - $autoBlVols = Get-TargetResource @PSBoundParameters + $autoBlVols = GetAutoBitlockerStatus @PSBoundParameters if ($autoBlVols -eq $null) { @@ -315,8 +286,113 @@ function Test-TargetResource return $true } +function GetAutoBitlockerStatus +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [parameter(Mandatory = $true)] + [ValidateSet("Fixed","Removable")] + [System.String] + $DriveType, + + [System.Int32] + $MinDiskCapacityGB, -Export-ModuleMember -Function *-TargetResource + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly + ) + + #First get all Bitlocker Volumes of type Data + $allBlvs = Get-BitLockerVolume | where {$_.VolumeType -eq "Data"} + + #Filter on size if it was specified + if ($PSBoundParameters.ContainsKey("MinDiskCapacityGB")) + { + $allBlvs = $allBlvs | where {$_.CapacityGB -ge $MinDiskCapacityGB} + } + + #Now find disks of the appropriate drive type, and add them to the collection + if ($allBlvs -ne $null) + { + [Hashtable]$returnValue = @{} + + foreach ($blv in $allBlvs) + { + $vol = $null + $vol = Get-Volume -Path $blv.MountPoint -ErrorAction SilentlyContinue | where {$_.DriveType -like $DriveType} + if ($vol -ne $null) + { + [Hashtable]$props = @{ + VolumeStatus = $blv.VolumeStatus + KeyProtectors = $blv.KeyProtector + EncryptionMethod = $blv.EncryptionMethod + } + + $returnValue.Add($blv.MountPoint, $props) + } + } + } + + $returnValue +} + +Export-ModuleMember -Function *-TargetResource diff --git a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof index 1a1e5a0..419b839 100644 --- a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof +++ b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof @@ -6,7 +6,7 @@ class MSFT_xBLAutoBitlocker : OMI_BaseResource [Key, ValueMap{"Fixed","Removable"}, Values{"Fixed","Removable"}] String DriveType; //The type of volume, as reported by Get-Volume, to auto apply Bitlocker to [Write] Sint32 MinDiskCapacityGB; //If specified, only disks this size or greater will auto apply Bitlocker - [Required, ValueMap{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; + [Required, ValueMap{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; [Write] Boolean AutoUnlock; //Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock //Remaing properties correspond directly to Enable-Bitlocker parameters @@ -30,4 +30,3 @@ class MSFT_xBLAutoBitlocker : OMI_BaseResource }; - diff --git a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 index 2e5b244..295a4b5 100644 --- a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 +++ b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 @@ -8,7 +8,7 @@ function Get-TargetResource [System.String] $MountPoint, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -73,18 +73,10 @@ function Get-TargetResource CheckForPreReqs - $blv = Get-BitLockerVolume -MountPoint $MountPoint -ErrorAction SilentlyContinue - - if ($blv -ne $null) - { - $returnValue = @{ - MountPoint = $MountPoint - VolumeStatus = $blv.VolumeStatus - KeyProtectors = $blv.KeyProtector - EncryptionMethod = $blv.EncryptionMethod - } + $returnValue = @{ + MountPoint = $MountPoint } - + $returnValue } @@ -98,7 +90,7 @@ function Set-TargetResource [System.String] $MountPoint, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -176,7 +168,7 @@ function Test-TargetResource [System.String] $MountPoint, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -249,4 +241,3 @@ function Test-TargetResource Export-ModuleMember -Function *-TargetResource - diff --git a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof index 17b21b1..1ca2f91 100644 --- a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof +++ b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof @@ -3,7 +3,7 @@ class MSFT_xBLBitlocker : OMI_BaseResource { [Key] String MountPoint; //The MountPoint name as reported in Get-BitLockerVolume - [Required, ValueMap{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; //The type of key protector that will be used as the primary key protector + [Required, ValueMap{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; //The type of key protector that will be used as the primary key protector [Write] Boolean AutoUnlock; //Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock [Write] Boolean AllowImmediateReboot; //Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false. @@ -28,4 +28,3 @@ class MSFT_xBLBitlocker : OMI_BaseResource }; - diff --git a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 index eab7128..4ba5627 100644 --- a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 +++ b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 @@ -19,7 +19,6 @@ function Get-TargetResource { $returnValue = @{ Identity = $Identity - TpmReady = $tpm.TpmReady } } @@ -59,18 +58,15 @@ function Set-TargetResource { if ($tpm.RestartRequired -eq $true) { + $global:DSCMachineStatus = 1 + if ($AllowImmediateReboot -eq $true) { - Write-Verbose "Forcing an immediate reboot of the computer" + Write-Verbose "Forcing an immediate reboot of the computer in 30 seconds" + Start-Sleep -Seconds 30 Restart-Computer -Force } - else - { - Write-Verbose "Setting DSCMachineStatus to 1" - - $global:DSCMachineStatus = 1 - } } } else @@ -120,4 +116,3 @@ function Test-TargetResource Export-ModuleMember -Function *-TargetResource - diff --git a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof index 8523338..383c7bc 100644 --- a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof +++ b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof @@ -9,4 +9,3 @@ class MSFT_xBLTpm : OMI_BaseResource }; - diff --git a/Misc/xBitlockerCommon.psm1 b/Misc/xBitlockerCommon.psm1 index c0bea75..a89d9e0 100644 --- a/Misc/xBitlockerCommon.psm1 +++ b/Misc/xBitlockerCommon.psm1 @@ -8,7 +8,7 @@ function EnableBitlocker [System.String] $MountPoint, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -77,44 +77,47 @@ function EnableBitlocker if ($blv -ne $null) { - #Add key protectors other than the primary key protector prior to running Enable-Bitlocker - if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and $PrimaryProtector -notlike "AdAccountOrGroupProtector" -and !(ContainsKeyProtector -Type "AdAccountOrGroupProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("TpmProtector") -and $PrimaryProtector -ne "TpmProtector") + { + throw "If TpmProtector is used, it must be the PrimaryProtector." + } + + if ($PSBoundParameters.ContainsKey("Pin") -and !($PSBoundParameters.ContainsKey("TpmProtector"))) + { + throw "A TpmProtector must be used if Pin is used." + } + + if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and $PrimaryProtector -notlike "AdAccountOrGroupProtector" -and !(ContainsKeyProtector -Type "AdAccountOrGroup" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding AdAccountOrGroupProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -AdAccountOrGroupProtector -AdAccountOrGroup $AdAccountOrGroup } - if ($PSBoundParameters.ContainsKey("PasswordProtector") -and $PrimaryProtector -notlike "PasswordProtector" -and !(ContainsKeyProtector -Type "PasswordProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("PasswordProtector") -and $PrimaryProtector -notlike "PasswordProtector" -and !(ContainsKeyProtector -Type "Password" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding PasswordProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -PasswordProtector -Password $Password.Password } - if ($PSBoundParameters.ContainsKey("Pin") -and $PrimaryProtector -notlike "Pin" -and !(ContainsKeyProtector -Type "Pin" -KeyProtectorCollection $blv.KeyProtector)) - { - Write-Verbose "Adding Pin" - Add-BitLockerKeyProtector -MountPoint $MountPoint -Pin $Pin.Password - } - - if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and $PrimaryProtector -notlike "RecoveryKeyProtector" -and !(ContainsKeyProtector -Type "RecoveryKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and $PrimaryProtector -notlike "RecoveryKeyProtector" -and !(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding RecoveryKeyProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryKeyProtector -RecoveryKeyPath $RecoveryKeyPath } - if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and $PrimaryProtector -notlike "RecoveryPasswordProtector" -and !(ContainsKeyProtector -Type "RecoveryPasswordProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and $PrimaryProtector -notlike "RecoveryPasswordProtector" -and !(ContainsKeyProtector -Type "RecoveryPassword" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding RecoveryPasswordProtector" - Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector $RecoveryPasswordProtector + Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector } - if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and $PrimaryProtector -notlike "StartupKeyProtector" -and !(ContainsKeyProtector -Type "StartupKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and $PrimaryProtector -notlike "TpmProtector" -and $PrimaryProtector -notlike "StartupKeyProtector" -and !(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) { Write-Verbose "Adding StartupKeyProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -StartupKeyProtector -StartupKeyPath $StartupKeyPath } - if ($PSBoundParameters.ContainsKey("TpmProtector") -and $PrimaryProtector -notlike "TpmProtector" -and !(ContainsKeyProtector -Type "TpmProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("TpmProtector") -and $PrimaryProtector -notlike "TpmProtector" -and !(ContainsKeyProtector -Type "Tpm" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) { Write-Verbose "Adding TpmProtector" Add-BitLockerKeyProtector -MountPoint $MountPoint -TpmProtector $TpmProtector @@ -123,8 +126,6 @@ function EnableBitlocker #Now enable Bitlocker with the primary key protector if ($blv.VolumeStatus -eq "FullyDecrypted") { - Write-Verbose "Running Enable-Bitlocker" - #First add non-key related parameters $params = @{} $params.Add("MountPoint", $MountPoint) @@ -155,24 +156,40 @@ function EnableBitlocker } #Now add the primary protector - if ($PrimaryProtector -like "AdAccountOrGroupProtector") - { - $params.Add("AdAccountOrGroupProtector", $true) - $params.Add("AdAccountOrGroup", $AdAccountOrGroup) - } - elseif ($PrimaryProtector -like "PasswordProtector") + $handledTpmAlready = $false + + #Deal with a couple one off cases + if ($PSBoundParameters.ContainsKey("Pin")) { - $params.Add("PasswordProtector", $true) - $params.Add("Password", $Password.Password) + $handledTpmAlready = $true + + $params.Add("Pin", $Pin.Password) + + if ($PSBoundParameters.ContainsKey("StartupKeyProtector")) + { + $params.Add("TpmAndPinAndStartupKeyProtector", $true) + $params.Add("StartupKeyPath", $StartupKeyPath) + } + else + { + $params.Add("TpmAndPinProtector", $true) + } } - elseif ($Pin -like "Pin") + + if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and $PrimaryProtector -like "TpmProtector" -and $handledTpmAlready -eq $false) { - $params.Add("Pin", $Pin.Password) + $handledTpmAlready = $true + + $params.Add("TpmAndStartupKeyProtector", $true) + $params.Add("StartupKeyPath", $StartupKeyPath) } - elseif ($PrimaryProtector -like "RecoveryKeyProtector") + + + #Now deal with the standard primary protectors + if ($PrimaryProtector -like "PasswordProtector") { - $params.Add("RecoveryKeyProtector", $true) - $params.Add("RecoveryKeyPath", $RecoveryKeyPath) + $params.Add("PasswordProtector", $true) + $params.Add("Password", $Password.Password) } elseif ($PrimaryProtector -like "RecoveryPasswordProtector") { @@ -183,12 +200,14 @@ function EnableBitlocker $params.Add("StartupKeyProtector", $true) $params.Add("StartupKeyPath", $StartupKeyPath) } - elseif ($PrimaryProtector -like "TpmProtector") + elseif ($PrimaryProtector -like "TpmProtector" -and $handledTpmAlready -eq $false) { $params.Add("TpmProtector", $true) } #Run Enable-Bitlocker + Write-Verbose "Running Enable-Bitlocker" + $newBlv = Enable-Bitlocker @params #Check if the Enable succeeded @@ -196,18 +215,15 @@ function EnableBitlocker { if ($blv.VolumeType -eq "OperatingSystem") #Only initiate reboot if this is an OS drive { + $global:DSCMachineStatus = 1 + if ($AllowImmediateReboot -eq $true) { - Write-Verbose "Forcing an immediate reboot of the computer" + Write-Verbose "Forcing an immediate reboot of the computer in 30 seconds" + Start-Sleep -Seconds 30 Restart-Computer -Force } - else - { - Write-Verbose "Setting DSCMachineStatus to 1" - - $global:DSCMachineStatus = 1 - } } } else @@ -239,7 +255,7 @@ function TestBitlocker [System.String] $MountPoint, - [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [ValidateSet("PasswordProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] [parameter(Mandatory = $true)] [System.String] $PrimaryProtector, @@ -314,11 +330,6 @@ function TestBitlocker Write-Verbose "No key protectors on MountPoint: $($MountPoint)" return $false } - elseif ($blv.VolumeStatus -eq "FullyDecrypted") - { - Write-Verbose "MountPoint has a status of FullyDecrypted: $($MountPoint)" - return $false - } elseif ($AutoUnlock -eq $true -and $blv.AutoUnlockEnabled -ne $true) { Write-Verbose "AutoUnlock is not enabled for MountPoint: $($MountPoint)" @@ -326,31 +337,57 @@ function TestBitlocker } else { - if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and !(ContainsKeyProtector -Type "AdAccountOrGroupProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and !(ContainsKeyProtector -Type "AdAccountOrGroup" -KeyProtectorCollection $blv.KeyProtector)) { - Write-Verbose "MountPoint '$($MountPoint) 'does not have AdAccountOrGroupProtector" + Write-Verbose "MountPoint '$($MountPoint) 'does not have AdAccountOrGroupProtector (AdAccountOrGroup)" return $false } - if ($PSBoundParameters.ContainsKey("PasswordProtector") -and !(ContainsKeyProtector -Type "PasswordProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("PasswordProtector") -and !(ContainsKeyProtector -Type "Password" -KeyProtectorCollection $blv.KeyProtector)) { - Write-Verbose "MountPoint '$($MountPoint) 'does not have PasswordProtector" + Write-Verbose "MountPoint '$($MountPoint) 'does not have PasswordProtector (Password)" return $false } - if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and !(ContainsKeyProtector -Type "RecoveryKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("Pin") -and !(ContainsKeyProtector -Type "TpmPin" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) { - Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryKeyProtector" + Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmPin assigned." + return $false + } + + if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and !(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryKeyProtector (ExternalKey)" return $false } - if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and !(ContainsKeyProtector -Type "StartupKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and !(ContainsKeyProtector -Type "RecoveryPassword" -KeyProtectorCollection $blv.KeyProtector)) { - Write-Verbose "MountPoint '$($MountPoint) 'does not have StartupKeyProtector" + Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryPasswordProtector (RecoveryPassword)" return $false } - if ($PSBoundParameters.ContainsKey("TpmProtector") -and !(ContainsKeyProtector -Type "TpmProtector" -KeyProtectorCollection $blv.KeyProtector)) + if ($PSBoundParameters.ContainsKey("StartupKeyProtector")) + { + if ($PrimaryProtector -notlike "TpmProtector") + { + if (!(ContainsKeyProtector -Type "ExternalKey" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have StartupKeyProtector (ExternalKey)" + return $false + } + } + else #TpmProtector is primary + { + if(!(ContainsKeyProtector -Type "Tpm" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true) -and !(ContainsKeyProtector -Type "StartupKey" -KeyProtectorCollection $blv.KeyProtector -Contains $true)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have TPM + StartupKey protector." + return $false + } + } + } + + if ($PSBoundParameters.ContainsKey("TpmProtector") -and !(ContainsKeyProtector -Type "Tpm" -KeyProtectorCollection $blv.KeyProtector -StartsWith $true)) { Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmProtector" return $false @@ -399,7 +436,7 @@ function CheckForPreReqs #Checks whether the KeyProtectorCollection returned from Get-BitlockerVolume contains the specified key protector type function ContainsKeyProtector { - param([string]$Type, $KeyProtectorCollection) + param([string]$Type, $KeyProtectorCollection, [bool]$StartsWith = $false, [bool]$EndsWith = $false, [bool]$Contains = $false) if ($KeyProtectorCollection -ne $null) { @@ -409,6 +446,18 @@ function ContainsKeyProtector { return $true } + elseif ($StartsWith -eq $true -and $keyProtector.KeyProtectorType.ToString().StartsWith($Type)) + { + return $true + } + elseif ($EndsWith -eq $true -and $keyProtector.KeyProtectorType.ToString().EndsWith($Type)) + { + return $true + } + elseif ($Contains -eq $true -and $keyProtector.KeyProtectorType.ToString().Contains($Type)) + { + return $true + } } } diff --git a/README.md b/README.md index 69c4b11..e53cc24 100644 --- a/README.md +++ b/README.md @@ -5,12 +5,6 @@ The **xBitlocker** module is a part of the Windows PowerShell Desired State Conf This module contains the **xBLAutoBitlocker, xBLBitlocker, xBLTpm** resources. This DSC Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks. -**All of the resources in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program or service. -The ""x" in xBitlocker stands for experimental**, which means that these resources will be **fix forward** and monitored by the module owner(s). - -If you would like to modify **xBitlocker** module, feel free. -When modifying, please update the module name, resource friendly name, and MOF class name (instructions below). -As specified in the license, you may copy or modify this resource as long as they are used on the Windows Platform. ## Contributing Please check out common DSC Resources [contributing guidelines](https://github.com/PowerShell/DscResource.Kit/blob/master/CONTRIBUTING.md). @@ -19,11 +13,11 @@ Please check out common DSC Resources [contributing guidelines](https://github.c To install **xBitlocker** module -* Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder +* Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder To confirm installation: -* Run **Get-DSCResource** to see that **xBLAutoBitlocker, xBLBitlocker, xBLTpm** are among the DSC Resources listed +* Run **Get-DSCResource** to see that **xBLAutoBitlocker, xBLBitlocker, xBLTpm** are among the DSC Resources listed ## Requirements @@ -104,7 +98,14 @@ Defaults to false. ## Versions -1.0.0.0 +### 1.0.1.1 + +* Reduced the number of acceptable values for PrimaryProtector in xBLAutoBitlocker and xBLBitlocker. +* Changed the properties that are returned by Get-TargetResource in xBLAutoBitlocker, xBLBitlocker, and xBLTpm. +* Fixed issue which caused protectors to be continually re-added. + + +### 1.0.0.0 * Initial release with the following resources * xBLAutoBitlocker diff --git a/Test/Test-xBitlocker.ps1 b/Test/Test-xBitlocker.ps1 index f50abd2..7611fd9 100644 --- a/Test/Test-xBitlocker.ps1 +++ b/Test/Test-xBitlocker.ps1 @@ -1,4 +1,10 @@ $showVerbose = $true +$showValidSettings -eq $true + +if ($pin -eq $null) +{ + $pin = Get-Credential -Message "Enter the Bitlocker Pin in the password field" +} #Define the parameters that can be passed into individual tests $blParams1 = @{ @@ -7,10 +13,86 @@ $blParams1 = @{ StartupKeyProtector = $true StartupKeyPath = "A:" RecoveryPasswordProtector = $true - AllowImmediateReboot = $false UsedSpaceOnly = $true } +$blParams2 = @{ + MountPoint = "C:" + PrimaryProtector = "StartupKeyProtector" + StartupKeyProtector = $true + StartupKeyPath = "A:" + RecoveryPasswordProtector = $true + UsedSpaceOnly = $true +} + +$blParams3 = @{ + MountPoint = 'C:' + PrimaryProtector = 'TpmProtector' + RecoveryPasswordProtector = $true + TpmProtector = $true + UsedSpaceOnly = $true +} + +$blParams4 = @{ + MountPoint = 'C:' + PrimaryProtector = 'TpmProtector' + Pin = $pin + TpmProtector = $true + UsedSpaceOnly = $true +} + +$blParams5 = @{ + MountPoint = 'C:' + PrimaryProtector = 'TpmProtector' + StartupKeyProtector = $true + StartupKeyPath = "E:" + TpmProtector = $true + UsedSpaceOnly = $true +} + +$blParams6 = @{ + MountPoint = 'C:' + PrimaryProtector = 'TpmProtector' + StartupKeyProtector = $true + StartupKeyPath = "E:" + Pin = $pin + TpmProtector = $true + UsedSpaceOnly = $true +} + +$blParams7 = @{ + MountPoint = 'C:' + PrimaryProtector = 'StartupKeyProtector' + AdAccountOrGroupProtector = $true + AdAccountOrGroup = "mikelab.local\ucctest" + StartupKeyProtector = $true + StartupKeyPath = 'A:' + RecoveryPasswordProtector = $true + UsedSpaceOnly = $true +} + +$blParams8 = @{ + MountPoint = 'C:' + PrimaryProtector = 'RecoveryPasswordProtector' + AdAccountOrGroupProtector = $true + AdAccountOrGroup = "mikelab.local\ucctest" + StartupKeyProtector = $true + StartupKeyPath = 'A:' + RecoveryPasswordProtector = $true + UsedSpaceOnly = $true +} + +$blParams9 = @{ + MountPoint = 'C:' + PrimaryProtector = 'PasswordProtector' + StartupKeyProtector = $true + StartupKeyPath = 'A:' + PasswordProtector = $true + Password = $pin + RecoveryPasswordProtector = $true + UsedSpaceOnly = $true +} + $autoBlParams1 = @{ DriveType = "Fixed" MinDiskCapacityGB = 20 @@ -19,6 +101,19 @@ $autoBlParams1 = @{ UsedSpaceOnly = $true } +function DisableBitlocker +{ + $blv = Get-BitLockerVolume + + foreach ($v in $blv) + { + if ($v.KeyProtector -ne $null -and $v.KeyProtector.Count -gt 0) + { + $v | Disable-BitLocker | Out-Null + } + } +} + #Compares two values and reports whether they are the same or not function CheckSetting($testName, $expectedValue, $actualValue) { @@ -47,6 +142,10 @@ function RunTest Import-Module $modulePath } + DisableBitlocker + + Write-Verbose "Beginning test '$($TestName)'" + if ($showVerbose -eq $true) { Set-TargetResource @Parameters -Verbose @@ -59,7 +158,7 @@ function RunTest } else { - #Set-TargetResource @Parameters + Set-TargetResource @Parameters $getResult = Get-TargetResource @Parameters checkSetting -testName "$($TestName): Get" -expectedValue $true -actualValue ($getResult -ne $null) @@ -82,13 +181,21 @@ function RunTests if ("TestBitlocker" -like $Filter) { - RunTest -TestName "TestBitlocker1" -ModulesToImport "MSFT_xBitlocker" -Parameters $blParams1 + RunTest -TestName "TestBitlocker1" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams1 + RunTest -TestName "TestBitlocker2" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams2 + #RunTest -TestName "TestBitlocker3" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams3 + #RunTest -TestName "TestBitlocker4" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams4 + #RunTest -TestName "TestBitlocker5" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams5 + #RunTest -TestName "TestBitlocker6" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams6 + RunTest -TestName "TestBitlocker7" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams7 + RunTest -TestName "TestBitlocker8" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams8 + RunTest -TestName "TestBitlocker9" -ModulesToImport "MSFT_xBLBitlocker" -Parameters $blParams9 } if ("TestAutoBitlocker" -like $Filter) { - RunTest -TestName "TestAutoBitlocker1" -ModulesToImport "MSFT_xAutoBitlocker" -Parameters $autoBlParams1 + RunTest -TestName "TestAutoBitlocker1" -ModulesToImport "MSFT_xBLAutoBitlocker" -Parameters $autoBlParams1 } } -RunTests -Filter "TestAutoBitlocker*" +RunTests -Filter "TestBitlocker*" diff --git a/xBitlocker.psd1 b/xBitlocker.psd1 index a6f57a1..875ace5 100644 --- a/xBitlocker.psd1 +++ b/xBitlocker.psd1 @@ -12,7 +12,7 @@ # RootModule = '' # Version number of this module. -ModuleVersion = '1.0.0.0' +ModuleVersion = '1.0.1.1' # ID used to uniquely identify this module GUID = 'dc4f3fd0-4e1d-4916-84f8-d0bb89d52507' @@ -95,4 +95,3 @@ AliasesToExport = '*' } - diff --git a/xBitlocker_Documentation.html b/xBitlocker_Documentation.html deleted file mode 100644 index 9330600..0000000 --- a/xBitlocker_Documentation.html +++ /dev/null @@ -1,249 +0,0 @@ - -
- -

Introduction

-

The xBitlocker module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is -a collection of DSC Resources produced by the PowerShell Team. This module contains the xBLAutoBitlocker, xBLBitlocker, xBLTpm resources. This DSC -Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.

-

All of the resources in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program -or service. The ""x" in xBitlocker stands for experimental, which means that these resources will be fix forward -and monitored by the module owner(s).

-

Please leave comments, feature requests, and bug reports in the Q & A tab for this module.

-

If you would like to modify xBitlocker module, feel free. When modifying, please update the module name, resource friendly name, -and MOF class name (instructions below). As specified in the license, you may copy or modify this resource as long as they are used on the Windows Platform.

-

For more information about Windows PowerShell Desired State Configuration, check out the blog posts on the -PowerShell Blog (this is a good starting point). There are -also great community resources, such as PowerShell.org, or -PowerShell Magazine. For more information on the DSC Resource Kit, check out -this blog post.

- -

Installation

-

To install xBitlocker module

- -

To confirm installation:

- - -

Requirements

-

This module requires that both the 'Bitlocker' and 'RSAT-Feature-Tools-Bitlocker' features are installed. It also requires the latest version of PowerShell (v4.0, which ships in Windows 8.1 or Windows Server 2012R2). To easily use PowerShell 4.0 on older operating systems, -install WMF 4.0. Please read the installation instructions -that are present on both the download page and the release notes for WMF 4.0.

- -

Description

-

The xBitlocker module contains the xBLAutoBitlocker, xBLBitlocker, xBLTpm DSC Resources. This DSC -Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.

- -

Details

-

xBLAutoBitlocker is used to automatically enable Bitlocker on drives of type Fixed or Removable. It does not work on Operating System drives. xBLAutoBitlocker has the following properties. Where no description is listed, properties correspond directly to Enable-Bitlocker parameters.

- - -

xBLBitlocker has the following properties. Where no description is listed, properties correspond directly to Enable-Bitlocker parameters.

- - -

xBLTpm is used to initialize a TPM chip using Initialize-TPM. xBLTpm has the following properties.

- - - - -

Renaming Requirements

-

When making changes to these resources, we suggest the following practice:

-
    -
  1. - Update the following names by replacing MSFT with your company/community name and replacing the "x" with "c" (short for "Community") or another prefix of your choice: -
      -
    • - Module name (ex: xBitlocker becomes cBitlocker) -
      • -
    • - Resource folder (ex: MSFT_xBLBitlocker becomes Contoso_cBLBitlocker) -
      • -
    • - Resource Name (ex: MSFT_xBLBitlocker becomes Contoso_cBLBitlocker) -
      • -
    • - Resource Friendly Name (ex: xBLBitlocker becomes cBLBitlocker) -
      • -
    • - MOF class name (ex: MSFT_xBLBitlocker becomes Contoso_cBLBitlocker) -
      • -
    • - Filename for the <resource>.schema.mof (ex: MSFT_xBLBitlocker.schema.mof becomes Contoso_cBLBitlocker.schema.mof) -
      • -
    -
    2. -
  2. - Update module and metadata information in the module manifest -
    3. -
  3. - Update any configuration that use these resources -
    4. -
-

We reserve resource and module names without prefixes ("x" or "c") for future use (e.g. "MSFT_BLAutoBitlocker, MSFT_BLBitlocker, MSFT_BLTpm" or "BLAutoBitlocker, BLBitlocker, BLTpm"). If the next version of Windows Server ships with "MSFT_BLAutoBitlocker, MSFT_BLBitlocker, MSFT_BLTpm" resources, we don't want to break any configurations that use any community modifications. Please keep a prefix such as "c" on all community modifications.

- - -

Versions

-

1.0.0.0

- - -

Example: ConfigureBitlockerOnOSDrive

-This example enables Bitlocker on an Operating System drive. The example code for ConfigureBitlockerOnOSDrive is located in "ConfigureBitlockerOnOSDrive.ps1" in the module folder under ...\xExchange\Examples\ConfigureBitlockerOnOSDrive.

- -

Example: ConfigureBitlockerAndAutoBitlocker

-Enables Bitlocker on an Operating System drive, and automatically enables Bitlocker on all drives of type 'Fixed'. The example code for ConfigureBitlockerAndAutoBitlocker is located in "ConfigureBitlockerAndAutoBitlocker.ps1" in the module folder under ...\xExchange\Examples\ConfigureBitlockerAndAutoBitlocker.


- - -
-