From 78ad3b139bbbfc4d7d2fdb13912974c8e94f8f81 Mon Sep 17 00:00:00 2001 From: PowerShellTeam <PowerShellTeam@hotmail.com> Date: Wed, 15 Apr 2015 15:23:52 -0700 Subject: [PATCH] Transfer development to github --- .../MSFT_xBLAutoBitlocker.psm1 | 322 ++++++++++++ .../MSFT_xBLAutoBitlocker.schema.mof | 33 ++ .../MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 | 252 ++++++++++ .../MSFT_xBLBitlocker.schema.mof | 31 ++ DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 | 123 +++++ .../MSFT_xBLTpm/MSFT_xBLTpm.schema.mof | 12 + .../ConfigureBitlockerAndAutoBitlocker.ps1 | 51 ++ .../ConfigureBitlockerOnOSDrive.ps1 | 40 ++ LICENSE | 21 + Misc/xBitlockerCommon.psm1 | 467 ++++++++++++++++++ README.md | 8 + Test/Test-xBitlocker.ps1 | 94 ++++ appveyor.yml | 25 + xBitlocker.psd1 | 98 ++++ xBitlocker_Documentation.html | 249 ++++++++++ 15 files changed, 1826 insertions(+) create mode 100644 DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 create mode 100644 DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof create mode 100644 DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 create mode 100644 DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof create mode 100644 DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 create mode 100644 DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof create mode 100644 Examples/ConfigureBitlockerAndAutoBitlocker/ConfigureBitlockerAndAutoBitlocker.ps1 create mode 100644 Examples/ConfigureBitlockerOnOSDrive/ConfigureBitlockerOnOSDrive.ps1 create mode 100644 LICENSE create mode 100644 Misc/xBitlockerCommon.psm1 create mode 100644 README.md create mode 100644 Test/Test-xBitlocker.ps1 create mode 100644 appveyor.yml create mode 100644 xBitlocker.psd1 create mode 100644 xBitlocker_Documentation.html diff --git a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 new file mode 100644 index 0000000..3975548 --- /dev/null +++ b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.psm1 @@ -0,0 +1,322 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [parameter(Mandatory = $true)] + [ValidateSet("Fixed","Removable")] + [System.String] + $DriveType, + + [System.Int32] + $MinDiskCapacityGB, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + #First get all Bitlocker Volumes of type Data + $allBlvs = Get-BitLockerVolume | where {$_.VolumeType -eq "Data"} + + #Filter on size if it was specified + if ($PSBoundParameters.ContainsKey("MinDiskCapacityGB")) + { + $allBlvs = $allBlvs | where {$_.CapacityGB -ge $MinDiskCapacityGB} + } + + #Now find disks of the appropriate drive type, and add them to the collection + if ($allBlvs -ne $null) + { + [Hashtable]$returnValue = @{} + + foreach ($blv in $allBlvs) + { + $vol = $null + $vol = Get-Volume -Path $blv.MountPoint -ErrorAction SilentlyContinue | where {$_.DriveType -like $DriveType} + + if ($vol -ne $null) + { + [Hashtable]$props = @{ + VolumeStatus = $blv.VolumeStatus + KeyProtectors = $blv.KeyProtector + EncryptionMethod = $blv.EncryptionMethod + } + + $returnValue.Add($blv.MountPoint, $props) + } + } + } + + $returnValue +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [parameter(Mandatory = $true)] + [ValidateSet("Fixed","Removable")] + [System.String] + $DriveType, + + [System.Int32] + $MinDiskCapacityGB, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + $autoBlVols = Get-TargetResource @PSBoundParameters + + if ($autoBlVols -eq $null) + { + throw "No Auto Bitlocker volumes were found" + } + else + { + RemoveParameters -PSBoundParametersIn $PSBoundParameters -ParamsToRemove "DriveType","MinDiskCapacityGB" + AddParameters -PSBoundParametersIn $PSBoundParameters -ParamsToAdd @{"MountPoint" = ""} + + #Loop through each potential AutoBitlocker volume, see whether they are enabled for Bitlocker, and if not, enable it + foreach ($key in $autoBlVols.Keys) + { + $PSBoundParameters["MountPoint"] = $key + + $testResult = TestBitlocker @PSBoundParameters + + if ($testResult -eq $false) + { + EnableBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference + } + } + } +} + + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [parameter(Mandatory = $true)] + [ValidateSet("Fixed","Removable")] + [System.String] + $DriveType, + + [System.Int32] + $MinDiskCapacityGB, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + $autoBlVols = Get-TargetResource @PSBoundParameters + + if ($autoBlVols -eq $null) + { + return $false + } + else + { + RemoveParameters -PSBoundParametersIn $PSBoundParameters -ParamsToRemove "DriveType","MinDiskCapacityGB" + AddParameters -PSBoundParametersIn $PSBoundParameters -ParamsToAdd @{"MountPoint" = ""} + + #Check whether any potential AutoBitlocker volume is not currently enabled for Bitlocker, or doesn't have the correct settings + foreach ($key in $autoBlVols.Keys) + { + $PSBoundParameters["MountPoint"] = $key + + $testResult = TestBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference + + if ($testResult -eq $false) + { + return $testResult + } + } + } + + return $true +} + + +Export-ModuleMember -Function *-TargetResource + + + diff --git a/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof new file mode 100644 index 0000000..1a1e5a0 --- /dev/null +++ b/DSCResources/MSFT_xBLAutoBitlocker/MSFT_xBLAutoBitlocker.schema.mof @@ -0,0 +1,33 @@ + +[ClassVersion("1.0.0.0"), FriendlyName("xBLAutoBitlocker")] +class MSFT_xBLAutoBitlocker : OMI_BaseResource +{ + //Used to automatically enable Bitlocker on drives of type Fixed or Removable. Does not work on Operating System drives. + + [Key, ValueMap{"Fixed","Removable"}, Values{"Fixed","Removable"}] String DriveType; //The type of volume, as reported by Get-Volume, to auto apply Bitlocker to + [Write] Sint32 MinDiskCapacityGB; //If specified, only disks this size or greater will auto apply Bitlocker + [Required, ValueMap{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; + [Write] Boolean AutoUnlock; //Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock + + //Remaing properties correspond directly to Enable-Bitlocker parameters + //http://technet.microsoft.com/en-us/library/jj649837.aspx + [Write] String AdAccountOrGroup; + [Write] Boolean AdAccountOrGroupProtector; + [Write, ValueMap{"Aes128","Aes256"}, Values{"Aes128","Aes256"}] String EncryptionMethod; + [Write] Boolean HardwareEncryption; + [Write, EmbeddedInstance("MSFT_Credential")] String Password; //NOTE: Username doesn't matter for the credential. Just put the Password in the Password field + [Write] Boolean PasswordProtector; + [Write, EmbeddedInstance("MSFT_Credential")] String Pin; //NOTE: Username doesn't matter for the credential. Just put the Pin in the Password field + [Write] String RecoveryKeyPath; + [Write] Boolean RecoveryKeyProtector; + [Write] Boolean RecoveryPasswordProtector; + [Write] Boolean Service; + [Write] Boolean SkipHardwareTest; + [Write] String StartupKeyPath; + [Write] Boolean StartupKeyProtector; + [Write] Boolean TpmProtector; + [Write] Boolean UsedSpaceOnly; +}; + + + diff --git a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 new file mode 100644 index 0000000..2e5b244 --- /dev/null +++ b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.psm1 @@ -0,0 +1,252 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $MountPoint, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AllowImmediateReboot = $false, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + $blv = Get-BitLockerVolume -MountPoint $MountPoint -ErrorAction SilentlyContinue + + if ($blv -ne $null) + { + $returnValue = @{ + MountPoint = $MountPoint + VolumeStatus = $blv.VolumeStatus + KeyProtectors = $blv.KeyProtector + EncryptionMethod = $blv.EncryptionMethod + } + } + + $returnValue +} + + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $MountPoint, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AllowImmediateReboot = $false, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + EnableBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $MountPoint, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AllowImmediateReboot = $false, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + $testResult = TestBitlocker @PSBoundParameters -VerbosePreference $VerbosePreference + + return $testResult +} + +Export-ModuleMember -Function *-TargetResource + + + diff --git a/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof new file mode 100644 index 0000000..17b21b1 --- /dev/null +++ b/DSCResources/MSFT_xBLBitlocker/MSFT_xBLBitlocker.schema.mof @@ -0,0 +1,31 @@ + +[ClassVersion("1.0.0.0"), FriendlyName("xBLBitlocker")] +class MSFT_xBLBitlocker : OMI_BaseResource +{ + [Key] String MountPoint; //The MountPoint name as reported in Get-BitLockerVolume + [Required, ValueMap{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}, Values{"AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector"}] String PrimaryProtector; //The type of key protector that will be used as the primary key protector + [Write] Boolean AutoUnlock; //Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock + [Write] Boolean AllowImmediateReboot; //Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false. + + //Remaing properties correspond directly to Enable-Bitlocker parameters + //http://technet.microsoft.com/en-us/library/jj649837.aspx + [Write] String AdAccountOrGroup; + [Write] Boolean AdAccountOrGroupProtector; + [Write, ValueMap{"Aes128","Aes256"}, Values{"Aes128","Aes256"}] String EncryptionMethod; + [Write] Boolean HardwareEncryption; + [Write, EmbeddedInstance("MSFT_Credential")] String Password; //NOTE: Username doesn't matter for the credential. Just put the Password in the Password field + [Write] Boolean PasswordProtector; + [Write, EmbeddedInstance("MSFT_Credential")] String Pin; //NOTE: Username doesn't matter for the credential. Just put the Pin in the Password field + [Write] String RecoveryKeyPath; + [Write] Boolean RecoveryKeyProtector; + [Write] Boolean RecoveryPasswordProtector; + [Write] Boolean Service; + [Write] Boolean SkipHardwareTest; + [Write] String StartupKeyPath; + [Write] Boolean StartupKeyProtector; + [Write] Boolean TpmProtector; + [Write] Boolean UsedSpaceOnly; +}; + + + diff --git a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 new file mode 100644 index 0000000..eab7128 --- /dev/null +++ b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.psm1 @@ -0,0 +1,123 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $Identity + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + $tpm = Get-Tpm + + if ($tpm -ne $null) + { + $returnValue = @{ + Identity = $Identity + TpmReady = $tpm.TpmReady + } + } + + $returnValue +} + + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $Identity, + + [System.Boolean] + $AllowClear, + + [System.Boolean] + $AllowPhysicalPresence, + + [System.Boolean] + $AllowImmediateReboot = $false + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + $PSBoundParameters.Remove("Identity") | Out-Null + $PSBoundParameters.Remove("AllowImmediateReboot") | Out-Null + + $tpm = Initialize-Tpm @PSBoundParameters + + if ($tpm -ne $null) + { + if ($tpm.RestartRequired -eq $true) + { + if ($AllowImmediateReboot -eq $true) + { + Write-Verbose "Forcing an immediate reboot of the computer" + + Restart-Computer -Force + } + else + { + Write-Verbose "Setting DSCMachineStatus to 1" + + $global:DSCMachineStatus = 1 + } + } + } + else + { + throw "Failed to initialize TPM" + } +} + + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $Identity, + + [System.Boolean] + $AllowClear, + + [System.Boolean] + $AllowPhysicalPresence, + + [System.Boolean] + $AllowImmediateReboot = $false + ) + + #Load helper module Import-Module "$((Get-Item -LiteralPath "$($PSScriptRoot)").Parent.Parent.FullName)\Misc\xBitlockerCommon.psm1" -Verbose:0 + + CheckForPreReqs + + $tpm = Get-Tpm + + if ($tpm -eq $null) + { + return $false + } + else + { + return $tpm.TpmReady + } +} + + +Export-ModuleMember -Function *-TargetResource + + + diff --git a/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof new file mode 100644 index 0000000..8523338 --- /dev/null +++ b/DSCResources/MSFT_xBLTpm/MSFT_xBLTpm.schema.mof @@ -0,0 +1,12 @@ + +[ClassVersion("1.0.0.0"), FriendlyName("xBLTpm")] +class MSFT_xBLTpm : OMI_BaseResource +{ + [Key] String Identity; //Not actually used, so could be anything + [Write] Boolean AllowClear; //Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server� 2012 standards + [Write] Boolean AllowPhysicalPresence; //Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue. + [Write] Boolean AllowImmediateReboot; //Whether the computer can rebooted immediately after initializing the TPM +}; + + + diff --git a/Examples/ConfigureBitlockerAndAutoBitlocker/ConfigureBitlockerAndAutoBitlocker.ps1 b/Examples/ConfigureBitlockerAndAutoBitlocker/ConfigureBitlockerAndAutoBitlocker.ps1 new file mode 100644 index 0000000..1dfe486 --- /dev/null +++ b/Examples/ConfigureBitlockerAndAutoBitlocker/ConfigureBitlockerAndAutoBitlocker.ps1 @@ -0,0 +1,51 @@ +Configuration ConfigureBitlockerAndAutoBitlocker +{ + Import-DscResource -Module xBitlocker + + Node 'E15-1' + { + #First install the required Bitlocker features + WindowsFeature BitlockerFeature + { + Name = 'Bitlocker' + Ensure = 'Present' + IncludeAllSubFeature = $true + } + + WindowsFeature BitlockerToolsFeature + { + Name = 'RSAT-Feature-Tools-Bitlocker' + Ensure = 'Present' + IncludeAllSubFeature = $true + } + + #This example enables Bitlocker on the Operating System drive using both a RecoveryPasswordProtector and a StartupKeyProtector + xBLBitlocker Bitlocker + { + MountPoint = 'C:' + PrimaryProtector = 'RecoveryPasswordProtector' + StartupKeyProtector = $true + StartupKeyPath = 'A:' + RecoveryPasswordProtector = $true + AllowImmediateReboot = $true + UsedSpaceOnly = $true + + DependsOn = '[WindowsFeature]BitlockerFeature','[WindowsFeature]BitlockerToolsFeature' + } + + #This example sets up AutoBitlocker for any drive of type Fixed with a RecoveryPasswordProtector only. + xBLAutoBitlocker AutoBitlocker + { + DriveType = 'Fixed' + PrimaryProtector = 'RecoveryPasswordProtector' + RecoveryPasswordProtector = $true + UsedSpaceOnly = $true + + DependsOn = '[xBLBitlocker]Bitlocker' #Don't enable AutoBL until the OS drive has been encrypted + } + } +} + +ConfigureBitlockerAndAutoBitlocker + +#Start-DscConfiguration -Verbose -Wait -Path .\ConfigureBitlockerAndAutoBitlocker -ComputerName "E15-1" diff --git a/Examples/ConfigureBitlockerOnOSDrive/ConfigureBitlockerOnOSDrive.ps1 b/Examples/ConfigureBitlockerOnOSDrive/ConfigureBitlockerOnOSDrive.ps1 new file mode 100644 index 0000000..98ee7d5 --- /dev/null +++ b/Examples/ConfigureBitlockerOnOSDrive/ConfigureBitlockerOnOSDrive.ps1 @@ -0,0 +1,40 @@ +Configuration ConfigureBitlockerOnOSDrive +{ + Import-DscResource -Module xBitlocker + + Node "E15-1" + { + #First install the required Bitlocker features + WindowsFeature BitlockerFeature + { + Name = 'Bitlocker' + Ensure = 'Present' + IncludeAllSubFeature = $true + } + + WindowsFeature BitlockerToolsFeature + { + Name = 'RSAT-Feature-Tools-Bitlocker' + Ensure = 'Present' + IncludeAllSubFeature = $true + } + + #This example enables Bitlocker on the Operating System drive using both a RecoveryPasswordProtector and a StartupKeyProtector + xBLBitlocker Bitlocker + { + MountPoint = 'C:' + PrimaryProtector = 'RecoveryPasswordProtector' + StartupKeyProtector = $true + StartupKeyPath = 'A:' + RecoveryPasswordProtector = $true + AllowImmediateReboot = $true + UsedSpaceOnly = $true + + DependsOn = '[WindowsFeature]BitlockerFeature','[WindowsFeature]BitlockerToolsFeature' + } + } +} + +ConfigureBitlockerOnOSDrive + +#Start-DscConfiguration -Verbose -Wait -Path .\ConfigureBitlockerOnOSDrive -ComputerName "E15-1" diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..567fd6a --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Microsoft Corporation. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. \ No newline at end of file diff --git a/Misc/xBitlockerCommon.psm1 b/Misc/xBitlockerCommon.psm1 new file mode 100644 index 0000000..c0bea75 --- /dev/null +++ b/Misc/xBitlockerCommon.psm1 @@ -0,0 +1,467 @@ +#A common function used to enable Bitlocker on a disk. +function EnableBitlocker +{ + [CmdletBinding()] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $MountPoint, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AllowImmediateReboot = $false, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly, + + $VerbosePreference + ) + + Write-Verbose "Beginning processing of MountPoint: $($MountPoint)" + + $blv = Get-BitLockerVolume -MountPoint $MountPoint -ErrorAction SilentlyContinue + + if ($blv -ne $null) + { + #Add key protectors other than the primary key protector prior to running Enable-Bitlocker + if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and $PrimaryProtector -notlike "AdAccountOrGroupProtector" -and !(ContainsKeyProtector -Type "AdAccountOrGroupProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "Adding AdAccountOrGroupProtector" + Add-BitLockerKeyProtector -MountPoint $MountPoint -AdAccountOrGroupProtector -AdAccountOrGroup $AdAccountOrGroup + } + + if ($PSBoundParameters.ContainsKey("PasswordProtector") -and $PrimaryProtector -notlike "PasswordProtector" -and !(ContainsKeyProtector -Type "PasswordProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "Adding PasswordProtector" + Add-BitLockerKeyProtector -MountPoint $MountPoint -PasswordProtector -Password $Password.Password + } + + if ($PSBoundParameters.ContainsKey("Pin") -and $PrimaryProtector -notlike "Pin" -and !(ContainsKeyProtector -Type "Pin" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "Adding Pin" + Add-BitLockerKeyProtector -MountPoint $MountPoint -Pin $Pin.Password + } + + if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and $PrimaryProtector -notlike "RecoveryKeyProtector" -and !(ContainsKeyProtector -Type "RecoveryKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "Adding RecoveryKeyProtector" + Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryKeyProtector -RecoveryKeyPath $RecoveryKeyPath + } + + if ($PSBoundParameters.ContainsKey("RecoveryPasswordProtector") -and $PrimaryProtector -notlike "RecoveryPasswordProtector" -and !(ContainsKeyProtector -Type "RecoveryPasswordProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "Adding RecoveryPasswordProtector" + Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector $RecoveryPasswordProtector + } + + if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and $PrimaryProtector -notlike "StartupKeyProtector" -and !(ContainsKeyProtector -Type "StartupKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "Adding StartupKeyProtector" + Add-BitLockerKeyProtector -MountPoint $MountPoint -StartupKeyProtector -StartupKeyPath $StartupKeyPath + } + + if ($PSBoundParameters.ContainsKey("TpmProtector") -and $PrimaryProtector -notlike "TpmProtector" -and !(ContainsKeyProtector -Type "TpmProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "Adding TpmProtector" + Add-BitLockerKeyProtector -MountPoint $MountPoint -TpmProtector $TpmProtector + } + + #Now enable Bitlocker with the primary key protector + if ($blv.VolumeStatus -eq "FullyDecrypted") + { + Write-Verbose "Running Enable-Bitlocker" + + #First add non-key related parameters + $params = @{} + $params.Add("MountPoint", $MountPoint) + + if ($PSBoundParameters.ContainsKey("EncryptionMethod")) + { + $params.Add("EncryptionMethod", $EncryptionMethod) + } + + if ($PSBoundParameters.ContainsKey("HardwareEncryption")) + { + $params.Add("HardwareEncryption", $true) + } + + if ($PSBoundParameters.ContainsKey("Service")) + { + $params.Add("Service", $true) + } + + if ($PSBoundParameters.ContainsKey("SkipHardwareTest")) + { + $params.Add("SkipHardwareTest", $true) + } + + if ($PSBoundParameters.ContainsKey("UsedSpaceOnly")) + { + $params.Add("UsedSpaceOnly", $true) + } + + #Now add the primary protector + if ($PrimaryProtector -like "AdAccountOrGroupProtector") + { + $params.Add("AdAccountOrGroupProtector", $true) + $params.Add("AdAccountOrGroup", $AdAccountOrGroup) + } + elseif ($PrimaryProtector -like "PasswordProtector") + { + $params.Add("PasswordProtector", $true) + $params.Add("Password", $Password.Password) + } + elseif ($Pin -like "Pin") + { + $params.Add("Pin", $Pin.Password) + } + elseif ($PrimaryProtector -like "RecoveryKeyProtector") + { + $params.Add("RecoveryKeyProtector", $true) + $params.Add("RecoveryKeyPath", $RecoveryKeyPath) + } + elseif ($PrimaryProtector -like "RecoveryPasswordProtector") + { + $params.Add("RecoveryPasswordProtector", $true) + } + elseif ($PrimaryProtector -like "StartupKeyProtector") + { + $params.Add("StartupKeyProtector", $true) + $params.Add("StartupKeyPath", $StartupKeyPath) + } + elseif ($PrimaryProtector -like "TpmProtector") + { + $params.Add("TpmProtector", $true) + } + + #Run Enable-Bitlocker + $newBlv = Enable-Bitlocker @params + + #Check if the Enable succeeded + if ($newBlv -ne $null) + { + if ($blv.VolumeType -eq "OperatingSystem") #Only initiate reboot if this is an OS drive + { + if ($AllowImmediateReboot -eq $true) + { + Write-Verbose "Forcing an immediate reboot of the computer" + + Restart-Computer -Force + } + else + { + Write-Verbose "Setting DSCMachineStatus to 1" + + $global:DSCMachineStatus = 1 + } + } + } + else + { + throw "Failed to successfully enable Bitlocker on MountPoint $($MountPoint)" + } + + #Finally, enable AutoUnlock if requested + if ($AutoUnlock -eq $true -and $blv.VolumeType -ne "OperatingSystem") + { + Enable-BitlockerAutoUnlock -MountPoint $MountPoint + } + } + } + else + { + throw "Unable to find Bitlocker Volume associated with Mount Point '$($MountPoint)'" + } +} + +#A common function used to test if Bitlocker is enabled on a disk with the appropriate settings +function TestBitlocker +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [parameter(Mandatory = $true)] + [System.String] + $MountPoint, + + [ValidateSet("AdAccountOrGroupProtector","PasswordProtector","Pin","RecoveryKeyProtector","RecoveryPasswordProtector","StartupKeyProtector","TpmProtector")] + [parameter(Mandatory = $true)] + [System.String] + $PrimaryProtector, + + [System.String] + $AdAccountOrGroup, + + [System.Boolean] + $AdAccountOrGroupProtector, + + [System.Boolean] + $AllowImmediateReboot = $false, + + [System.Boolean] + $AutoUnlock = $false, + + [ValidateSet("Aes128","Aes256")] + [System.String] + $EncryptionMethod, + + [System.Boolean] + $HardwareEncryption, + + [System.Management.Automation.PSCredential] + $Password, + + [System.Boolean] + $PasswordProtector, + + [System.Management.Automation.PSCredential] + $Pin, + + [System.String] + $RecoveryKeyPath, + + [System.Boolean] + $RecoveryKeyProtector, + + [System.Boolean] + $RecoveryPasswordProtector, + + [System.Boolean] + $Service, + + [System.Boolean] + $SkipHardwareTest, + + [System.String] + $StartupKeyPath, + + [System.Boolean] + $StartupKeyProtector, + + [System.Boolean] + $TpmProtector, + + [System.Boolean] + $UsedSpaceOnly, + + $VerbosePreference + ) + + $blv = Get-BitLockerVolume -MountPoint $MountPoint -ErrorAction SilentlyContinue + + if ($blv -eq $null) + { + Write-Verbose "Unable to locate MountPoint: $($MountPoint)" + return $false + } + elseif ($blv.KeyProtector -eq $null -or $blv.KeyProtector.Count -eq 0) + { + Write-Verbose "No key protectors on MountPoint: $($MountPoint)" + return $false + } + elseif ($blv.VolumeStatus -eq "FullyDecrypted") + { + Write-Verbose "MountPoint has a status of FullyDecrypted: $($MountPoint)" + return $false + } + elseif ($AutoUnlock -eq $true -and $blv.AutoUnlockEnabled -ne $true) + { + Write-Verbose "AutoUnlock is not enabled for MountPoint: $($MountPoint)" + return $false + } + else + { + if ($PSBoundParameters.ContainsKey("AdAccountOrGroupProtector") -and !(ContainsKeyProtector -Type "AdAccountOrGroupProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have AdAccountOrGroupProtector" + return $false + } + + if ($PSBoundParameters.ContainsKey("PasswordProtector") -and !(ContainsKeyProtector -Type "PasswordProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have PasswordProtector" + return $false + } + + if ($PSBoundParameters.ContainsKey("RecoveryKeyProtector") -and !(ContainsKeyProtector -Type "RecoveryKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have RecoveryKeyProtector" + return $false + } + + if ($PSBoundParameters.ContainsKey("StartupKeyProtector") -and !(ContainsKeyProtector -Type "StartupKeyProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have StartupKeyProtector" + return $false + } + + if ($PSBoundParameters.ContainsKey("TpmProtector") -and !(ContainsKeyProtector -Type "TpmProtector" -KeyProtectorCollection $blv.KeyProtector)) + { + Write-Verbose "MountPoint '$($MountPoint) 'does not have TpmProtector" + return $false + } + } + + return $true +} + +#Ensures that required Bitlocker prereqs are installed +function CheckForPreReqs +{ + $hasAllPreReqs = $true + + $blFeature = Get-WindowsFeature BitLocker + $blAdminToolsFeature = Get-WindowsFeature RSAT-Feature-Tools-BitLocker + $blAdminToolsRemoteFeature = Get-WindowsFeature RSAT-Feature-Tools-BitLocker-RemoteAdminTool + + if ($blFeature.InstallState -ne "Installed") + { + $hasAllPreReqs = $false + + Write-Error "The Bitlocker feature needs to be installed before the xBitlocker module can be used" + } + + if ($blAdminToolsFeature.InstallState -ne "Installed") + { + $hasAllPreReqs = $false + + Write-Error "The RSAT-Feature-Tools-BitLocker feature needs to be installed before the xBitlocker module can be used" + } + + if ($blAdminToolsRemoteFeature.InstallState -ne "Installed") + { + $hasAllPreReqs = $false + + Write-Error "The RSAT-Feature-Tools-BitLocker-RemoteAdminTool feature needs to be installed before the xBitlocker module can be used" + } + + if ($hasAllPreReqs -eq $false) + { + throw "Required Bitlocker features need to be installed before xBitlocker can be used" + } +} + +#Checks whether the KeyProtectorCollection returned from Get-BitlockerVolume contains the specified key protector type +function ContainsKeyProtector +{ + param([string]$Type, $KeyProtectorCollection) + + if ($KeyProtectorCollection -ne $null) + { + foreach ($keyProtector in $KeyProtectorCollection) + { + if ($keyProtector.KeyProtectorType -eq $Type) + { + return $true + } + } + } + + return $false +} + +#Takes $PSBoundParameters from another function and adds in the keys and values from the given Hashtable +function AddParameters +{ + param($PSBoundParametersIn, [Hashtable]$ParamsToAdd) + + foreach ($key in $ParamsToAdd.Keys) + { + if (!($PSBoundParametersIn.ContainsKey($key))) #Key doesn't exist, so add it with value + { + $PSBoundParametersIn.Add($key, $ParamsToAdd[$key]) | Out-Null + } + else #Key already exists, so just replace the value + { + $PSBoundParametersIn[$key] = $ParamsToAdd[$key] + } + } +} + +#Takes $PSBoundParameters from another function. If ParamsToRemove is specified, it will remove each param. +#If ParamsToKeep is specified, everything but those params will be removed. If both ParamsToRemove and ParamsToKeep +#are specified, only ParamsToKeep will be used. +function RemoveParameters +{ + param($PSBoundParametersIn, [string[]]$ParamsToKeep, [string[]]$ParamsToRemove) + + if ($ParamsToKeep -ne $null -and $ParamsToKeep.Count -gt 0) + { + [string[]]$ParamsToRemove = @() + + $lowerParamsToKeep = StringArrayToLower -Array $ParamsToKeep + + foreach ($key in $PSBoundParametersIn.Keys) + { + if (!($lowerParamsToKeep.Contains($key.ToLower()))) + { + $ParamsToRemove += $key + } + } + } + + if ($ParamsToRemove -ne $null -and $ParamsToRemove.Count -gt 0) + { + foreach ($param in $ParamsToRemove) + { + $PSBoundParametersIn.Remove($param) | Out-Null + } + } +} + +Export-ModuleMember -Function * diff --git a/README.md b/README.md new file mode 100644 index 0000000..6640444 --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +{{AppVeyor build status badge for master branch}} + +#{{ModuleName}} + +{{Description}} + +## Contributing +Please check out common DSC Resources [contributing guidelines](https://github.com/PowerShell/DscResource.Kit/blob/master/CONTRIBUTING.md). diff --git a/Test/Test-xBitlocker.ps1 b/Test/Test-xBitlocker.ps1 new file mode 100644 index 0000000..f50abd2 --- /dev/null +++ b/Test/Test-xBitlocker.ps1 @@ -0,0 +1,94 @@ +$showVerbose = $true + +#Define the parameters that can be passed into individual tests +$blParams1 = @{ + MountPoint = "C:" + PrimaryProtector = "RecoveryPasswordProtector" + StartupKeyProtector = $true + StartupKeyPath = "A:" + RecoveryPasswordProtector = $true + AllowImmediateReboot = $false + UsedSpaceOnly = $true +} + +$autoBlParams1 = @{ + DriveType = "Fixed" + MinDiskCapacityGB = 20 + PrimaryProtector = "RecoveryPasswordProtector" + RecoveryPasswordProtector = $true + UsedSpaceOnly = $true +} + +#Compares two values and reports whether they are the same or not +function CheckSetting($testName, $expectedValue, $actualValue) +{ + if ($expectedValue -ne $actualValue) + { + Write-Host -ForegroundColor Red "Test: '$($testName)'. Result: Fail. Expected value: '$($expectedValue)'. Actual value: '$($actualValue)'." + } + else + { + if ($showValidSettings -eq $true) + { + Write-Host -ForegroundColor Green "Test: '$($testName)'. Result: Pass. Value: '$($expectedValue)'." + } + } +} + +#Actually runs the specified test +function RunTest +{ + param([string]$TestName, [string[]]$ModulesToImport, [Hashtable]$Parameters) + + #Load Required Modules + foreach ($module in $ModulesToImport) + { + $modulePath = "..\DSCResources\$($module)\$($module).psm1" + Import-Module $modulePath + } + + if ($showVerbose -eq $true) + { + Set-TargetResource @Parameters -Verbose + + $getResult = Get-TargetResource @Parameters -Verbose + checkSetting -testName "$($TestName): Get" -expectedValue $true -actualValue ($getResult -ne $null) + + $testResult = Test-TargetResource @Parameters -Verbose + checkSetting -testName "$($TestName): Test" -expectedValue $true -actualValue $testResult + } + else + { + #Set-TargetResource @Parameters + + $getResult = Get-TargetResource @Parameters + checkSetting -testName "$($TestName): Get" -expectedValue $true -actualValue ($getResult -ne $null) + + $testResult = Test-TargetResource @Parameters + checkSetting -testName "$($TestName): Test" -expectedValue $true -actualValue $testResult + } + + #Unload Required Modules + foreach ($module in $ModulesToImport) + { + Remove-Module $module + } +} + +#Runs any tests that match the filter +function RunTests +{ + param([string]$Filter) + + if ("TestBitlocker" -like $Filter) + { + RunTest -TestName "TestBitlocker1" -ModulesToImport "MSFT_xBitlocker" -Parameters $blParams1 + } + + if ("TestAutoBitlocker" -like $Filter) + { + RunTest -TestName "TestAutoBitlocker1" -ModulesToImport "MSFT_xAutoBitlocker" -Parameters $autoBlParams1 + } +} + +RunTests -Filter "TestAutoBitlocker*" diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 0000000..62d98c2 --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,25 @@ +install: + - cinst -y pester + - git clone https://github.com/PowerShell/DscResource.Tests + +build: false + +test_script: + - ps: | + $testResultsFile = ".\TestsResults.xml" + $res = Invoke-Pester -OutputFormat NUnitXml -OutputFile $testResultsFile -PassThru + (New-Object 'System.Net.WebClient').UploadFile("https://ci.appveyor.com/api/testresults/nunit/$($env:APPVEYOR_JOB_ID)", (Resolve-Path $testResultsFile)) + if ($res.FailedCount -gt 0) { + throw "$($res.FailedCount) tests failed." + } +on_finish: + - ps: | + $stagingDirectory = (Resolve-Path ..).Path + $zipFile = Join-Path $stagingDirectory "$(Split-Path $pwd -Leaf).zip" + Add-Type -assemblyname System.IO.Compression.FileSystem + [System.IO.Compression.ZipFile]::CreateFromDirectory($pwd, $zipFile) + @( + # You can add other artifacts here + (ls $zipFile) + ) | % { Push-AppveyorArtifact $_.FullName } + diff --git a/xBitlocker.psd1 b/xBitlocker.psd1 new file mode 100644 index 0000000..a6f57a1 --- /dev/null +++ b/xBitlocker.psd1 @@ -0,0 +1,98 @@ +# +# Module manifest for module 'xBitlocker' +# +# Generated by: Mike Hendrickson +# +# Generated on: 8/29/2014 +# + +@{ + +# Script module or binary module file associated with this manifest. +# RootModule = '' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = 'dc4f3fd0-4e1d-4916-84f8-d0bb89d52507' + +# Author of this module +Author = 'Mike Hendrickson' + +# Company or vendor of this module +CompanyName = 'Microsoft' + +# Copyright statement for this module +Copyright = '(c) 2014 administrator. All rights reserved.' + +# Description of the functionality provided by this module +Description = 'This DSC Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.' + +# Minimum version of the Windows PowerShell engine required by this module +# PowerShellVersion = '' + +# Name of the Windows PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the Windows PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of Microsoft .NET Framework required by this module +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module +# CLRVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +# RequiredModules = @() + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +# ScriptsToProcess = @() + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +# FormatsToProcess = @() + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module +FunctionsToExport = '*' + +# Cmdlets to export from this module +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '*' + +# Aliases to export from this module +AliasesToExport = '*' + +# List of all modules packaged with this module +# ModuleList = @() + +# List of all files packaged with this module +# FileList = @() + +# Private data to pass to the module specified in RootModule/ModuleToProcess +# PrivateData = '' + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} + + + diff --git a/xBitlocker_Documentation.html b/xBitlocker_Documentation.html new file mode 100644 index 0000000..9330600 --- /dev/null +++ b/xBitlocker_Documentation.html @@ -0,0 +1,249 @@ +<body> +<div id="longDesc"> +<span style="font-family:Calibri; font-size:medium"> +<h1 style="font-family:Calibri Light; color:#2e74b5; font-size:large">Introduction</h1> +<p>The<strong> xBitlocker</strong> module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is +a collection of DSC Resources produced by the PowerShell Team. This module contains the <strong>xBLAutoBitlocker, xBLBitlocker, xBLTpm</strong> resources. This DSC +Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.</p> +<p><strong>All of the resources in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program +or service. The ""x" in xBitlocker stands for experimental</strong>, which means that these resources will be <strong>fix forward</strong> +and monitored by the module owner(s).</p> +<p>Please leave comments, feature requests, and bug reports in the Q & A tab for this module.</p> +<p>If you would like to modify <strong>xBitlocker</strong> module, feel free. When modifying, please update the module name, resource friendly name, +and MOF class name (instructions below). As specified in the license, you may copy or modify this resource as long as they are used on the Windows Platform.</p> +<p>For more information about Windows PowerShell Desired State Configuration, check out the blog posts on the +<a href="http://blogs.msdn.com/b/powershell/"><span style="color:#0000ff">PowerShell Blog</span></a> (</span><a href="http://blogs.msdn.com/b/powershell/archive/2013/11/01/configuration-in-a-devops-world-windows-powershell-desired-state-configuration.aspx"><span style="color:#0000ff">this</span></a> is a good starting point). There are +also great community resources, such as <a href="http://powershell.org/wp/tag/dsc/"><span style="color:#0000ff">PowerShell.org</span></a>, or +<a href="http://www.powershellmagazine.com/tag/dsc/"><span style="color:#0000ff">PowerShell Magazine</span></a>. For more information on the DSC Resource Kit, check out +<a href="http://go.microsoft.com/fwlink/?LinkID=389546"><span style="color:#0000ff">this blog post</span></a>.<br></p> + +<h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Installation</h1> +<p>To install <strong >xBitlocker</strong> module </p> +<ul style="list-style-type:disc; direction:ltr"> +<li>Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder</li> +</ul> +<p>To confirm installation:<br></p> +<ul style="list-style-type:disc; direction:ltr"> +<li>Run <strong>Get-DSCResource</strong> to see that <strong>xBLAutoBitlocker, xBLBitlocker, xBLTpm</strong> are among the DSC Resources listed<br></li> +</ul> + +<h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Requirements</h1> +<p>This module requires that both the 'Bitlocker' and 'RSAT-Feature-Tools-Bitlocker' features are installed. It also requires the latest version of PowerShell (v4.0, which ships in Windows 8.1 or Windows Server 2012R2). To easily use PowerShell 4.0 on older operating systems, +<a href="http://www.microsoft.com/en-us/download/details.aspx?id=40855"><span style="color:#0000ff">install WMF 4.0</span></a>. Please read the installation instructions +that are present on both the download page and the release notes for WMF 4.0.</p> + +<h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Description</h1> +<p>The <strong >xBitlocker </strong> module contains the <strong >xBLAutoBitlocker, xBLBitlocker, xBLTpm</strong> DSC Resources. This DSC +Module allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.</p> + +<h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Details</h1> +<p><strong>xBLAutoBitlocker</strong> is used to automatically enable Bitlocker on drives of type Fixed or Removable. It does not work on Operating System drives. <strong>xBLAutoBitlocker</strong> has the following properties. Where no description is listed, properties correspond directly to <a href="http://technet.microsoft.com/en-us/library/jj649837.aspx">Enable-Bitlocker</a> parameters.</p> +<ul style="list-style-type:disc; direction:ltr"> +<li> + <span style="width: 250px; float: left; font-weight: bold;">*DriveType:</span>The type of volume, as reported by Get-Volume, to auto apply Bitlocker to +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">*PrimaryProtector:</span>The primary protector type to be used for AutoBitlocker. Valid values are: "AdAccountOrGroupProtector", "PasswordProtector", "Pin", "RecoveryKeyProtector", "RecoveryPasswordProtector", "StartupKeyProtector", or "TpmProtector" +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">MinDiskCapacityGB:</span>If specified, only disks this size or greater will auto apply Bitlocker +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AutoUnlock:</span>Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AdAccountOrGroup</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AdAccountOrGroupProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">EncryptionMethod</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">HardwareEncryption</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">Password</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">PasswordProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">Pin</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">RecoveryKeyPath</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">RecoveryKeyProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">RecoveryPasswordProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">Service</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">SkipHardwareTest</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">StartupKeyPath</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">StartupKeyProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">TpmProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">UsedSpaceOnly</span> +</li> +</ul> + +<p><strong>xBLBitlocker</strong> has the following properties. Where no description is listed, properties correspond directly to <a href="http://technet.microsoft.com/en-us/library/jj649837.aspx">Enable-Bitlocker</a> parameters.</p> +<ul style="list-style-type:disc; direction:ltr"> +<li> + <span style="width: 250px; float: left; font-weight: bold;">*MountPoint:</span>The MountPoint name as reported in Get-BitLockerVolume +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">*PrimaryProtector:</span>The primary protector type to be used for AutoBitlocker. Valid values are: "AdAccountOrGroupProtector", "PasswordProtector", "Pin", "RecoveryKeyProtector", "RecoveryPasswordProtector", "StartupKeyProtector", or "TpmProtector" +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AutoUnlock:</span>Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AllowImmediateReboot:</span>Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive. Defaults to false. +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AdAccountOrGroup</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AdAccountOrGroupProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">EncryptionMethod</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">HardwareEncryption</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">Password</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">PasswordProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">Pin</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">RecoveryKeyPath</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">RecoveryKeyProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">RecoveryPasswordProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">Service</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">SkipHardwareTest</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">StartupKeyPath</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">StartupKeyProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">TpmProtector</span> +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">UsedSpaceOnly</span> +</li> +</ul> + +<p><strong>xBLTpm</strong> is used to initialize a TPM chip using <a href="http://technet.microsoft.com/en-us/library/jj603112.aspx">Initialize-TPM</a>. <strong>xBLTpm</strong> has the following properties.</p> +<ul style="list-style-type:disc; direction:ltr"> +<li> + <span style="width: 250px; float: left; font-weight: bold;">*Identity:</span>Not actually used, so could be anything +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AllowClear:</span>Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server® 2012 standards +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AllowPhysicalPresence:</span>Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue. +</li> +<li> + <span style="width: 250px; float: left; font-weight: bold;">AllowImmediateReboot:</span>Whether the computer can rebooted immediately after initializing the TPM +</li> +</ul> + + + +<h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Renaming Requirements</h1> +<p>When making changes to these resources, we suggest the following practice:</p> +<ol style="list-style-type:decimal; direction:ltr"> +<li> + Update the following names by replacing MSFT with your company/community name and replacing the <strong>"x"</strong> with <strong>"c"</strong> (short for "Community") or another prefix of your choice: +<ul> +<li> + <strong>Module name (ex: xBitlocker</strong> becomes <strong>cBitlocker</strong>) +</li> +<li> + <strong>Resource folder (ex: MSFT_xBLBitlocker</strong> becomes <strong>Contoso_cBLBitlocker</strong>) +</li> +<li> + <strong>Resource Name (ex: MSFT_xBLBitlocker</strong> becomes <strong>Contoso_cBLBitlocker</strong>) +</li> +<li> + <strong>Resource Friendly Name (ex: xBLBitlocker</strong> becomes <strong>cBLBitlocker</strong>) +</li> +<li> + <strong>MOF class name (ex: MSFT_xBLBitlocker</strong> becomes <strong>Contoso_cBLBitlocker</strong>) +</li> +<li> + <strong>Filename for the <resource>.schema.mof (ex: MSFT_xBLBitlocker</strong>.schema.mof becomes <strong>Contoso_cBLBitlocker</strong>.schema.mof) +</li> +</ul> +</li> +<li> + Update module and metadata information in the module manifest +</li> +<li> + Update any configuration that use these resources +</li> +</ol> +<p><em>We reserve resource and module names without prefixes ("x" or "c") for future use (e.g. "MSFT_BLAutoBitlocker, MSFT_BLBitlocker, MSFT_BLTpm" or "BLAutoBitlocker, BLBitlocker, BLTpm"). If the next version of Windows Server ships with "MSFT_BLAutoBitlocker, MSFT_BLBitlocker, MSFT_BLTpm" resources, we don't want to break any configurations that use any community modifications. Please keep a prefix such as "c" on all community modifications.</em></p> + + +<h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Versions</h1> +<p>1.0.0.0</p> +<ul style="list-style-type:disc; direction:ltr"> +<li> + Initial release with the following resources +<ul style="list-style-type:circle"> +<li> + xBLAutoBitlocker +</li> +<li> + xBLBitlocker +</li> +<li> + xBLTpm +</li> +</ul> +</li> +</ul> + +<h1 style="margin-bottom:0pt; font-family:Calibri Light; color:#2e74b5; font-size:large">Example: ConfigureBitlockerOnOSDrive</h1> +This example enables Bitlocker on an Operating System drive. The example code for ConfigureBitlockerOnOSDrive is located in "ConfigureBitlockerOnOSDrive.ps1" in the module folder under ...\xExchange\Examples\ConfigureBitlockerOnOSDrive. <p></p> + +<h1 style="margin-bottom:0pt; font-family:Calibri Light; color:#2e74b5; font-size:large">Example: ConfigureBitlockerAndAutoBitlocker</h1> +Enables Bitlocker on an Operating System drive, and automatically enables Bitlocker on all drives of type 'Fixed'. The example code for ConfigureBitlockerAndAutoBitlocker is located in "ConfigureBitlockerAndAutoBitlocker.ps1" in the module folder under ...\xExchange\Examples\ConfigureBitlockerAndAutoBitlocker. <p></p></br> + +</span> +</div> +</body>