Created
January 25, 2018 17:34
-
-
Save danjpadgett/cd25cf3f3b5831196811d808f71096c0 to your computer and use it in GitHub Desktop.
StartMBAMEncryption.WSF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<job id="StartMBAMEncryption"> | |
<script language="VBScript" src="ZTIUtility.vbs"/> | |
<script language="VBScript"> | |
' // *************************************************************************** | |
' // | |
' // Copyright (c) Microsoft Corporation. All rights reserved. | |
' // | |
' // Microsoft Deployment Toolkit Solution Accelerator | |
' // | |
' // File: StartMBAMEncryption.wsf | |
' // | |
' // Version: 6.0.2058.3 | |
' // | |
' // Purpose: Start encryption using MBAM | |
' // | |
' // Usage: cscript StartMBAMEncryption.wsf [/debug:true] /MBAMServiceEndPoint:<KeyRecoveryServiceEndPoint registry value> | |
' // [/EncryptionMethod:<integer value for encryption method>] | |
' // | |
' // Revisions: | |
' // 6.0.2058.0 02/20/2012 Created script. | |
' // 6.0.2058.1 11/07/2012 Now using /MBAMServiceEndPoint to pass the MBAM service | |
' // URL instead of /AddRegFile and /RemoveRegFile. | |
' // 6.0.2058.2 11/29/2012 Added /EncryptionMethod switch. | |
' // 6.0.2058.3 25/01/2018 Added /EncryptionMethod switch support for Windows 10 1511+ [dpadgett/execmgr.net]. | |
' // | |
' // *************************************************************************** | |
Option Explicit | |
RunNewInstance | |
'//---------------------------------------------------------------------------- | |
'// | |
'// Global constants | |
'// | |
'//---------------------------------------------------------------------------- | |
'//---------------------------------------------------------------------------- | |
'// Main Class | |
'//---------------------------------------------------------------------------- | |
Class StartMBAMEncryption | |
Public oTpm | |
Public bTpmActivated, bTpmOwned, bTpmEnabled, bTpmOwnershipAllowed, bEndorsementKeyPairPresent | |
Function Main | |
Dim aAddMBAMRegistryValues, aRemoveMBAMRegistryValues | |
Dim oService, oServices, colOS, colEnVol, oEncVol, oWMITPM, oTPMs, oTPM, objOS | |
Dim iBuildNumber, iRetVal, iLoopCount, iEncryptionStatus, iPercentComplete, i | |
Dim sMBAMRegistryKey, sFVERegistryKey, sMBAMServiceEndPoint, sEncryptionMethod, sCmd, sRegCMD | |
Dim bWaitForEncryption, bTPMActive, bEndorsementKeyPairPresent, oDisk, aProtectors | |
sMBAMRegistryKey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM" | |
aAddMBAMRegistryValues = Array("Installed", "KeyRecoveryOptions", "UseKeyRecoveryService", "DeploymentTime", "NoStartupDelay") | |
aRemoveMBAMRegistryValues = Array("KeyRecoveryServiceEndPoint", "KeyRecoveryOptions", "UseKeyRecoveryService", "DeploymentTime", "NoStartupDelay") | |
sFVERegistryKey = "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" | |
' Get inputs | |
sMBAMServiceEndPoint = oEnvironment.Item("MBAMServiceEndPoint") | |
If sMBAMServiceEndPoint <> "" then | |
oLogging.CreateEntry "MBAMServiceEndPoint: " & sMBAMServiceEndPoint, LogTypeInfo | |
Else | |
TestAndFail False, 10001, "MBAMServiceEndPoint not specified." | |
End If | |
sEncryptionMethod = oEnvironment.Item("EncryptionMethod") | |
' default is AES-XTS 128bit | |
if sEncryptionMethod = "" Then sEncryptionMethod = "6" | |
oLogging.CreateEntry "EncryptionMethod: " & sEncryptionMethod, LogTypeInfo | |
Set colOS = objWMI.ExecQuery("Select BuildNumber from Win32_OperatingSystem") | |
For Each objOS In colOS | |
iBuildNumber = objOS.BuildNumber | |
Next | |
If (sEncryptionMethod = "3" or sEncryptionMethod = "4" or sEncryptionMethod = "6" or sEncryptionMethod = "7") and iBuildNumber < 10586 Then | |
TestAndFail False, 10002, "EncryptionMethod value not valid for Windows 10 1511 and higher - Must be 3, 4, 6 or 7 ." | |
End If | |
' Check TPM for non-WTG | |
if UCase(oEnvironment.Item("_SMSTSWTG")) <> "TRUE" Then | |
TestAndFail (TpmValidate), 10005, "TPM Validated" | |
End If | |
Set oServices = objWMI.ExecQuery("Select * from win32_service where name='MBAMAgent'") | |
TestAndFail (oServices.count = 1), 10005, "MBAM Client Agent is installed" | |
'Stop the service | |
For Each oService In oServices | |
oService.StopService() | |
Next | |
' Locate correct reg.exe for OS architecture and set MBAM registry values | |
If oFSO.FileExists(oShell.ExpandEnvironmentStrings("%SystemRoot%\sysnative\reg.exe")) then | |
sRegCMD = oShell.ExpandEnvironmentStrings("%SystemRoot%\sysnative\reg.exe") | |
Else | |
sRegCMD = oShell.ExpandEnvironmentStrings("%SystemRoot%\system32\reg.exe") | |
End if | |
oLogging.CreateEntry "Using " & sRegCMD & " for Reg Add/Delete", LogTypeInfo | |
sCMD = sRegCMD & " ADD """ & sMBAMRegistryKey & """ /v KeyRecoveryServiceEndPoint /t REG_EXPAND_SZ /d " & sMBAMServiceEndPoint & " /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Importing KeyRecoveryServiceEndPoint Registry value: " & sMBAMServiceEndPoint | |
For i = 0 to UBound(aAddMBAMRegistryValues) | |
sCMD = sRegCMD & " ADD """ & sMBAMRegistryKey & """ /v " & aAddMBAMRegistryValues(i) & " /t REG_DWORD /d 1 /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Importing Registry value: " & aAddMBAMRegistryValues(i) | |
Next | |
' Set BitLocker encryption method | |
sCMD = sRegCMD & " ADD """ & sFVERegistryKey & """ /v EncryptionMethodWithXtsOs /t REG_DWORD /d " & sEncryptionMethod & " /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Importing EncryptionMethod Registry value: " & sMBAMServiceEndPoint | |
' set protectors | |
sCMD = sRegCMD & " ADD """ & sFVERegistryKey & """ /v UseTPM /t REG_DWORD /d 2 /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
sCMD = sRegCMD & " ADD """ & sFVERegistryKey & """ /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
sCMD = sRegCMD & " ADD """ & sFVERegistryKey & """ /v UsePIN /t REG_DWORD /d 2 /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
sCMD = sRegCMD & " ADD """ & sFVERegistryKey & """ /v UseAdvancedStartup /t REG_DWORD /d 1 /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
' Restart the MBAMAgent Service | |
For Each oService In oServices | |
oService.StartService() | |
Next | |
' Waiting For Encryptiont to Start | |
iLoopCount = 0 | |
Do | |
oLogging.ReportProgress "Waiting For Encryptiont to Start", iLoopCount*4/20 | |
oLogging.CreateEntry "Waiting for Encryption to Start", LogTypeInfo | |
wscript.Sleep 15000 | |
sCMD = "manage-bde -protectors -enable c:" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndLog iRetVal, "Execution: " & sCMD | |
ILoopCount = iLoopCount + 1 | |
If iLoopCount >= 20 then | |
TestAndLog 10008, "Timeout: Encryption did not start" | |
End If | |
Loop Until (iRetVal = 0) or iLoopCount >= 20 | |
oLogging.ReportProgress "Encryptiont Started", 100 | |
oLogging.CreateEntry "Encryptiont Started", LogTypeInfo | |
' Set password for WTG | |
if UCase(oEnvironment.Item("_SMSTSWTG")) = "TRUE" and oEnvironment.Item("OSDBitLockerPIN") <> "" Then | |
for each oDisk in GetObject("winmgmts:\\.\root\CIMV2\Security\MicrosoftVolumeEncryption"). _ | |
ExecQuery("SELECT * FROM Win32_EncryptableVolume WHERE DriveLetter = 'C:'",,48) | |
iRetVal = oDisk.ProtectKeyWithPassphrase("", oEnvironment.Item("OSDBitLockerPIN")) | |
TestAndFail iretVal, 10006, "ProtectKeyWithPassphrase" | |
next | |
End If | |
' Remove MBAM registry entries | |
For i = 0 to UBound(aRemoveMBAMRegistryValues) | |
sCMD = sRegCMD & " DELETE """ & sMBAMRegistryKey & """ /v " & aRemoveMBAMRegistryValues(i) & " /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10009, "Removing Registry value: " & aRemoveMBAMRegistryValues(i) | |
Next | |
' Remove Protectors | |
sCMD = sRegCMD & " DELETE """ & sFVERegistryKey & """ /v UseTPM /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
sCMD = sRegCMD & " DELETE """ & sFVERegistryKey & """ /v EnableBDEWithNoTPM /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
sCMD = sRegCMD & " DELETE """ & sFVERegistryKey & """ /v UsePIN /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
sCMD = sRegCMD & " DELETE """ & sFVERegistryKey & """ /v UseAdvancedStartup /f" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndFail iretVal, 10006, "Execution: " & sCMD | |
' Suspend protection untill reboot | |
if iBuildNumber >= 10586 Then | |
sCMD = "manage-bde -protectors -disable c:" | |
iRetVal = oUtility.RunWithHeartbeat(sCMD) | |
TestAndLog iRetVal, "Execution: " & sCMD | |
End If | |
End Function | |
'// TPM Management Functions | |
Function GetTpmInstance() | |
Dim iRetVal, sConnection | |
Dim oTpmWmi, iTpmWmi | |
On Error Resume Next | |
sConnection = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftTpm" | |
Set oTpmWmi = GetObject(sConnection) | |
TestAndFail SUCCESS, 6732, "Connect to MicrosoftTPM provider" | |
'// There should either be 0 or 1 instance of the TPM provider class | |
Set iTpmWmi = oTpmWmi.InstancesOf("Win32_Tpm") | |
If iTpmWmi.Count = 0 Then | |
oLogging.CreateEntry "Failed to find a TPM instance in the provider class.", LogTypeError | |
GetTpmInstance = Failure | |
EXIT FUNCTION | |
End If | |
Err.Clear | |
'Get a single instance of the TPM provider class | |
Set oTpm = oTpmWmi.Get("Win32_Tpm=@") | |
TestAndFail SUCCESS, 6733, "Get a TPM instance in the provider class" | |
End Function | |
Function TpmValidate () | |
Dim iRetVal, sCmd, sTpmOwnerPassword | |
iRetVal = Success | |
'// Set oTpm to valid instance | |
iRetVal = GetTpmInstance() | |
TestAndFail iRetVal, 6734, "Get TPM Instance" | |
'// Set global booleans for TPM state. Error bubble handled by subs | |
iRetVal = GetTpmEnabled() | |
TestAndFail iRetVal, 6735, "Check to see if TPM is enabled" | |
iRetVal = GetTpmActivated() | |
TestAndFail iRetVal, 6736, "Check to see if TPM is activated" | |
iRetVal = GetTpmOwner() | |
TestAndFail iRetVal, 6737, "Check to see if TPM is owned" | |
iRetVal = GetTpmOwnershipAllowed() | |
TestAndFail iRetVal, 6738, "Check to see if TPM Ownership is allowed" | |
iRetVal = GetEndorsementKeyPairPresent() | |
oLogging.CreateEntry "TpmEnabled: " & bTpmEnabled, LogTypeInfo | |
oLogging.CreateEntry "TpmActivated: " & bTpmActivated, LogTypeInfo | |
oLogging.CreateEntry "TpmOwned: " & bTpmOwned, LogTypeInfo | |
oLogging.CreateEntry "TpmOwnershipAllowed: " & bTpmOwnershipAllowed, LogTypeInfo | |
oLogging.CreateEntry "EndorsementKeyPairPresent: " & bEndorsementKeyPairPresent, LogTypeInfo | |
'// Single instance check to allow future corrective action branching. | |
TestAndFail bTPMEnabled, 6739, "Check to see if TPM is enabled" | |
TestAndFail bTPMActivated, 6740, "Check to see if TPM is activated" | |
TestAndFail bTpmOwned or bTpmOwnershipAllowed , 6741, "Check to see if TPM is owned and ownership is allowed" | |
If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then | |
If oEnvironment.Item("TpmOwnerPassword") <> "" Then | |
oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo | |
iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword")) | |
TestAndFail iRetVal, 6741, "TPM Owner Password set" | |
ElseIf oEnvironment.Item("AdminPassword") <> "" Then | |
oLogging.CreateEntry "TPM Ownership being intiated with AdminP@ssword (not TPMOwnerP@ssword).", LogTypeInfo | |
iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword")) | |
TestAndFail iRetVal, 6742, "TPM Owner P@ssword set to AdminP@ssword" | |
Else | |
oLogging.CreateEntry "TPM Ownership being intiated with Default p@ssword (not TPMOwnerP@ssword).", LogTypeInfo | |
iRetVal = SetTpmOwner("M0nksH00d!4T3al") | |
TestAndFail iRetVal, 6743, "Set TPM Owner P@ssword to value" | |
End If | |
End If | |
TpmValidate = Success | |
End Function | |
Function GetTpmEnabled() | |
Dim iRetVal | |
iRetVal = Success | |
iRetVal = oTpm.IsEnabled(bTpmEnabled) | |
TestAndFail iRetVal, 6744, "Check to see if TPM is enabled" | |
oLogging.CreateEntry "Success TPM Enabled", LogTypeInfo | |
GetTpmEnabled = Success | |
End Function | |
Function GetTpmOwner() | |
Dim iRetVal | |
iRetVal = Success | |
iRetVal = oTpm.IsOwned(bTpmOwned) | |
TestAndFail iRetVal, 6745, "Check TPM Owner" | |
oLogging.CreateEntry "Success TPM Is Owned", LogTypeInfo | |
GetTpmOwner = Success | |
End Function | |
Function GetEndorsementKeyPairPresent() | |
Dim iRetVal | |
iRetVal = Success | |
iRetVal = oTpm.IsEndorsementKeyPairPresent(bEndorsementKeyPairPresent) | |
oLogging.CreateEntry "Check for Ensorsement Key Pair Present = " & iRetVal, LogTypeInfo | |
GetEndorsementKeyPairPresent = Success | |
End Function | |
Function GetTpmActivated() | |
Dim iRetVal | |
iRetVal = Success | |
iRetVal = oTpm.IsActivated(bTpmActivated) | |
TestAndFail iRetVal, 6747, "Check to see if TPM is activated" | |
oLogging.CreateEntry "Success TPM Is Activated", LogTypeInfo | |
GetTpmActivated = Success | |
End Function | |
Function GetTpmOwnershipAllowed | |
Dim iRetVal | |
iRetVal = Success | |
iRetVal = oTpm.IsOwnershipAllowed(bTpmOwnershipAllowed) | |
TestAndFail iRetVal, 6748, "Check to see if TPM Ownership is allowed" | |
oLogging.CreateEntry "Success TPM Ownership Allowed", LogTypeInfo | |
GetTpmOwnershipAllowed = Success | |
End Function | |
Function SetTpmOwner (sTpmOwnerPassword) | |
Dim iRetVal, oExec, sOwnerAuthDigest, sErrCode | |
' iRetVal = Failure | |
On Error Resume Next | |
'// Convert password to Digest | |
' iRetVal = oTpm.ConvertToOwnerAuth(sTpmOwnerPassword, sOwnerAuthDigest) | |
' TestAndFail iRetVal, 6749, "Convert owner p@ssword to owner authorization" | |
'// Set owner | |
' If not bEndorsementKeyPairPresent then | |
' iRetVal = oTpm.CreateEndorsementKeyPair | |
' TestAndFail iRetVal, 6750, "Create endorsement key pair" | |
' End if | |
' iRetVal = oTpm.TakeOwnership(sOwnerAuthDigest) | |
' oLogging.CreateEntry "Starting owner authorization process on the TPM", LogTypeInfo | |
' TestAndFail iRetVal, 6751, "Change owner authorization" | |
SetTpmOwner = Success | |
End Function | |
End Class | |
</script> | |
</job> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment