Test BitLocker OS Drive Key Protector Types

Caution

Scripts and snippets are provided “AS IS” and come with no warranties.
Review the script before executing it on your systems. Always test in a safe environment first.

Overview

This script evaluates BitLocker OS Drive Key Protector Types on a Windows system. It checks whether the operating system volume is using approved key protector methods based on configurable settings.

The script verifies if the OS drive is using approved key protector types (TPM+PIN or TPM+Password) and reports their status.

The script could be used with with an RMM tool to check the status of BitLocker OS drive Key Protector status a number of endpoints.

• Example: running the script across an entire company via the RMM tool, evaluating the output for Approved KP types found for OS drive and creating a ticket if present with the report attached.

Usage

Option 1: Run directly from the web

Run the following command in an elevated PowerShell session:

iex (iwr -UseBasicParsing https://techdocsoffline.com/powershell-snippets/TestBitLockerOSDriveKeyProtectorTypes.ps1)

Option 2: Download and run locally

1. Download the script:

Invoke-WebRequest -Uri https://techdocsoffline.com/powershell-snippets/TestBitLockerOSDriveKeyProtectorTypes.ps1 -OutFile TestBitLockerOSDriveKeyProtectorTypes.ps1

2. Run the script with administrative privileges:

.\TestBitLockerOSDriveKeyProtectorTypes.ps1

Script Details

TestBitLockerOSDriveKeyProtectorTypes.ps1

# =============================================================================
# Script Name: Test BitLocker OS Drive Key Protector Types
# Version:     1.0.0
# =============================================================================
#
# DESCRIPTION:
# Tests BitLocker OS Drive Key Protector Types on a Windows system
#
# DISCLAIMER:
# This script is provided "AS IS" without warranties of any kind.
# Always review scripts from the internet before executing them.
#
# =============================================================================

# Check if the script is running with administrative privileges
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
    Write-Host "This script must be run as an administrator." -ForegroundColor Red
    exit
}

# User variables
# TPM+Password Key Protector
$KP_TPMPassword_Approved = $false
# TPM+PIN Key Protector
$KP_TPMPIN_Approved = $true
# End of user variables

$BitLockerVolumes = Get-BitLockerVolume
$KP_Found_Approved_Types = [System.Collections.ArrayList]::new();

foreach ($Volume in $BitLockerVolumes) {
    if ($Volume.VolumeType -eq "OperatingSystem") {
        # Write OS vol crypt status
        Write-Host "Vol crypt status for OS:" $Volume.VolumeStatus

        # Write Key Protector Types
        Write-Host "Key Protector types:"
        $Volume.KeyProtector | ForEach-Object {
            Write-Host -NoNewline "KP:" $_
            if ($_ -like "TpmPin" -and $KP_TPMPIN_Approved -eq $true) {
                Write-Host -ForegroundColor Green " Approved KP!"
                $KP_Found_Approved_Types.Add($_) # Add KP found approved types list
            }
            if ($_ -like "TpmPassword" -and $KP_TPMPassword_Approved -eq $true) {
                Write-Host -ForegroundColor Green " Approved KP!"
                $KP_Found_Approved_Types.Add($_) # Add KP found approved types list
            }
            Write-Host
        }
    }
}

if ($KP_Found_Approved_Types.Count -lt 1) {
    Write-Host "No approved KP types found for OS drive"
} else {
    Write-Host "Approved KP types found for OS drive" $KP_Found_Approved_Types
}

User Variables

You can modify these variables at the top of the script or within the script file to configure which key protector types are considered approved:

• $KP_TPMPassword_Approved: Set to $true to approve TPM+Password protectors, $false to disallow
• $KP_TPMPIN_Approved: Set to $true to approve TPM+PIN protectors, $false to disallow

Examples

Example 1: System with Approved Key Protector Types

PS C:\> .\TestBitLockerOSDriveKeyProtectorTypes.ps1
Vol crypt status for OS: FullyEncrypted
Key Protector types:
KP: TpmPin Approved KP!
KP: RecoveryPassword

Approved KP types found for OS drive TpmPin

Example 2: System without Approved Key Protector Types

PS C:\> .\TestBitLockerOSDriveKeyProtectorTypes.ps1
Vol crypt status for OS: FullyEncrypted
Key Protector types:
KP: TpmProtector
KP: RecoveryPassword

No approved KP types found for OS drive

Example 3: Modifying Approved Key Protector Types via User Variables

PS C:\> # Edit script to set both to true
PS C:\> $KP_TPMPassword_Approved = $true
PS C:\> $KP_TPMPIN_Approved = $false
PS C:\> .\TestBitLockerOSDriveKeyProtectorTypes.ps1
Vol crypt status for OS: FullyEncrypted
Key Protector types:
KP: TpmPassword Approved KP!
KP: RecoveryPassword

Approved KP types found for OS drive TpmPassword