question

MaciekK-2828 avatar image
0 Votes"
MaciekK-2828 asked Bagitman-1090 commented

Detect a plugged-in Bitlocker USB encryption key and notify admins.

Hi Guys!

Is it possible to detect a plugged-in Bitlocker USB encryption key and notify administrators? Now, to boot to Windows 10 our users are required to plug in a Bitlocker key. After booting they should remove that USB key but sometimes users forgot to unplug the USB key.

Do you know maybe some kind of a tool or powershell script?

We can use Azure, Intune (Microsoft Endpoint Manger) and Powershell.

windows-server-powershellmem-intune-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If you run manage-bde status from a PowerShell prompt, does it answer this question:

Is it possible to detect a plugged-in Bitlocker USB encryption key

on a test machine?

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-status



0 Votes 0 ·

1 Answer

Bagitman-1090 avatar image
0 Votes"
Bagitman-1090 answered Bagitman-1090 commented

manage-bde-status is not right here as it only lists bitlocked drives but not drives with .bek files (B itlocker E ncryption K ey).

What you could do: deploy a scheduled task that runs 5 minutes after logon and looks for .bek files in the root of all drives. Can you script that? If you need help, just say.
What you should do: get rid of USB startup keys. Those don't belong into the hands of ordinary users, since they allow those users to manipulate the drives, decrypt them, make themselves admin and so on. Use TPM instead. All boards 2015 and newer have onboard TPMs or at least TPM headers or fTPMS.

Edit: here's a script

 $sticks=Get-WmiObject Win32_Volume -Filter "DriveType='2'"
 $beks=foreach ($stick in $sticks) {gci $stick.caption*.bek -Attributes r+s+h}
 if (!$beks){exit}
 else {msg * /time:0 Unplug that Bitlocker stick!}



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks - one advantage of a USB startup key is that users can keep them separately. The lost or stolen device cannot even boot in that case while, when we store keys in the TPM module, it is possible. Of course, we still need to provide credentials.

0 Votes 0 ·

"when we store keys in the TPM module, it is possible. Of course, we still need to provide credentials." - oh. You need to rethink that. With TPM and PIN, the device is not startable by thieves. Using USB-keys is a security no-go unless you fully trust your users.

0 Votes 0 ·