This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SafeGuard Bitlocker - Disable Postpone option

Hi,

 

I'm currently deplying SafeGuard client and a bitlocker policy in our company and i have a question regarding the password selection screen.

Standard it shows a postpone option, and about 25% of our users think its funny to keep clicking it, so they never have to choose a password, and thus keep bitlocker disabled.

I was wondering there is a built in option to disable the postpone button, or to keep popping up the windows every hour, to annoy users a bit so they have to set a password for the window to disappear. One notice after every reboot is not sufficient, as many users put their laptop in sleep/hibernate.



This thread was automatically locked due to age.
  • Hi Jef - Not that I know of sadly within SafeGuard. I think it's more of an AutoPilot solution you're looking for, where you could force encryption with an OOBE (Out of the box experience) and inTune. 

    You could force encryption with a reg key (and therefore GPO) but this would take some testing and have more success if you were confident about the state of the computer state and the models too - I have a massively varying estate here so this wouldn't work well. During testing of this though, I did sometimes see Sophos wanting to set a PIN itself even when it was successfully applied outside of Sophos (using manage-bde), so potentially you'd see this option popup again but it didn't allow postpone as the drive was already encrypted. Not ideal aesthecially but better than allowing users to cancel perhaps.

    Personally the way forward for us is that a Tech enables and confirms this as part of the build process. During my other POC we use AutoPilot to enable encryption on build automatically but this uses AAD and NOT SafeGuard.

    You could try other (unpopular) solutions like emailing all staff that aren't enabled from the data within SafeGuard on an automated method until compliant (I do this with inTune now and it DOES work well), forcing a reboot of the machine every X days (and therefore they'd see the prompt more often).

    Ideally you'd want some sort of compliance check here and deny services/connectivity if not compliant but this is going to take a lot of business change and senior management support and we don't always have this! 

     

  • Hi Michael,

     

    Thanks for the reply. I'm deploying the client with GPO's at the time, we do not use autopilot here.

    I have a few other options though, ranging from a user login script thats checks encryption status with the manage-bde command and show a popup when device is not encrypted.

    I can try a script that triggers encryption with manage-bde instead of the popup message like you mentioned, and see what results this gives in terms of PIN/password policy.

    There's allso indeed more drastic measures as disabling serverces or even the entire account, and only re-enable them after they setup bitlocker. But this project hasn't made me exactly popular  so'd i'd like to avoid these scenario's if possible :), and as you mention, managment is not to keen about that stuff either.

     

    Thanks for the tips, i'll try and post my used solutions later.

  • Good luck!

    It's so difficult without management support - So I wish you all the best with that. Frustratingly if there is a data breach/loss I'm sure they'll be the first ones knocking at your door too....

     

  • I have come up with a solution that i will post here for other people in similar situation.

     

    I have created a startup powershell script wich will automaticly enable bitlocker after a specified deadline expires. The generated password is displayed in a popup and allso mailed to support. When using this method safeguard still prompts to choose another password after the automaticly generated one is set by the script, wich gives users the opportunity to still choose their own password after the auto generated one is set.

    I think this is the most effective and least intrusive way to get companywide bitlocker activation. Still awaiting manager approval to use this though :). So in case i cant use it, i hope someone else taht finds this usefull can ;)

    Script code is as follows:

     

    Import-Module BitLocker; Get-BitlockerVolume
    $wmiDomain = Get-WmiObject Win32_NTDomain -Filter "DnsForestName = '$( (Get-WmiObject Win32_ComputerSystem).Domain)'"
    $domain = $wmiDomain.DomainName
    $OutputVariable = (Get-BitlockerVolume -MountPoint "C:")
    $SupportEmailAddress = "support@mycompany.com"
    #Deadline Date in YYYYMMDD
    $DeadLine = "20190415"
    $EmailAddress = $SupportEmailAddress

    #Force Encryption on FullyDecrypted volumes
    If ($OutputVariable.volumestatus -Like "FullyDecrypted")
    {
    $date = Get-Date
    $datestr = $Date.ToString("yyyyMMdd")
    #Compare Current date to deadline
    #Deadline expired, force encryption
    if($datestr -gt $DeadLine){
    #Generate Password
    $Password = Get-Random -Minimum 100000000000 -Maximum 999999999999

    #Activate Bitlocker
    $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod aes256 -UsedSpaceOnly -PasswordProtector -Password $SecureString

    #Define/Send E-mail Message to support
    $email_subject = "Bitlocker activatie / wachtwoord voor $env:COMPUTERNAME"
    $email_body = "Bitlocker al enige tijd niet actief op $domain $env:COMPUTERNAME getest op $date, automatische encryptie is gestart. Het wachtwoord is $Password . Gelieve dit door te geven naar de gebruiker indien deze u hiervoor contacteerd. De gebruiker kan dan nadat hij/zij aangemeld heeft in windows zelf een nieuw wachtwoord kiezen ....."
    send-mailmessage -from "SafeGuard Status monitor <SafeGuard@yourcompany.com>" -to $EmailAddress -subject $email_subject -body $email_body -priority High -dno onSuccess, onFailure -smtpServer YOURCOMPANYMAILSERVER

    #Set Messagebox Text
    [String[]]$Msg = @()
    $Msg += 'De wachttijd voor het zelf activeren van bitlocker is verstreken.'
    $Msg += 'Bitlocker is nu automatisch geactiveerd... '
    $Msg += ''
    $Msg += 'Uw wachtwoord is: ' + $Password
    $Msg += ''
    $Msg += 'NOTEER DIT AUB, Uw wachtwoord is ook naar de Helpdesk gemaild.'
    $Msg += ''
    $Msg += 'Uw Computer zal binnen 3 minuten herstarten. Gebruik dan bovenstaande code om de schijf te ontsleutelen.'
    $Msg += 'Na het herstarten en aanmelden in windows kan u dan zelf een nieuw wachtwoord instellen.'
    [String]$MsgTxt = ''
    $Msg | ForEach-Object { $MsgTxt += $_ + "`n" }
    Add-Type -AssemblyName System.Windows.Forms
    [System.Windows.Forms.MessageBox]::Show($MsgTxt, 'Bitlocker activatie', 'OK', 'Information') | Out-Null
    }
    else{
    #Deadline not reached yet, Display warning
    #Set Messagebox Text
    [String[]]$Msg = @()
    $Msg += 'Bitlocker is nog niet geactiveerd op uw computer.'
    $Msg += 'Gelieve voor 15/04/2019 een wachtwoord in te stellen'
    $Msg += ''
    $Msg += 'Na deze datum wordt Bitlocker automatisch geactiveerd en wordt er automatisch een wachtwoord gekozen.'
    $Msg += ''
    [String]$MsgTxt = ''
    $Msg | ForEach-Object { $MsgTxt += $_ + "`n" }
    Add-Type -AssemblyName System.Windows.Forms
    [System.Windows.Forms.MessageBox]::Show($MsgTxt, "Bitlocker activatie $env:COMPUTERNAME", 'OK', 'Information') | Out-Null

    }


    }
    Exit

  • Hi, i think this is related to another article :)