Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'Test' pass incorrectly returns $True for decrypted volumes, causing the volume to be skipped for 'Set' pass and never encrypted #13

Closed
MartinVokurek opened this issue May 27, 2018 · 0 comments
Labels
bug The issue is a bug.

Comments

@MartinVokurek
Copy link
Contributor

The TestBitlocker function evaluates KeyProtectors and AutoUnlock status for given volume. If they do not match, the function returns $false and "Set" is executed.
If, however, KeyProtectors are configured correctly and AutoUnlock is in desired state, yet the volume is in "FullyDecrypted" state, TestBitlocker returns $True and the volume is not processed for encryption anymore.
This can happen more likely for OS volume: the volume is attempted to be encrypted by EnableBitlocker, but call to Enable-Bitlocker fails for whatever reason, the resource fails as expected. But the KeyProtectors are already in place and not removed upon failure and therefore subsequent configuration runs will evaluate Test as $True and skip Set.

Repro:
Try to use xBLBitlocker to encrypt OS volume in Hyper-V VM with Dynamically Expanding disks and no UsedSpaceOnly specified (I used TPM and RecoveryPassword protectors and had "Full Encryption" set in GPO). First attempt fails with "BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage. (Exception from HRESULT: 0x803100A5)". Subsequent runs will skip Set and report success, yet the volume never gets encrypted.

Suggested fix:
TestBitlocker should test "VolumeStatus" of given Bitlocker volume. If the status is "FullyDecrypted", it should return $false.

@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels May 28, 2018
MartinVokurek pushed a commit to MartinVokurek/xBitlocker that referenced this issue May 31, 2018
@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels May 31, 2018
johlju pushed a commit that referenced this issue May 31, 2018
… is present (#16)

- Fixed issue which caused Test-TargetResource to incorrectly succeed on fully
  decrypted volumes when correct Key Protectors were present (issue #13)
@johlju johlju removed the in progress The issue is being actively worked on by someone. label May 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug The issue is a bug.
Projects
None yet
Development

No branches or pull requests

2 participants