/build/static/layout/Breadcrumb_cap_w.png

Blog Posts tagged with KACE SMA

Ask a question

KACE SMA | Bitlocker

04/25/2019 added a compatibility matrix.

03/29/2019 added some modifications. Thanks to Andrew Lubchansky for helping me creating this.



OS Common Name
Build Version
Compatible
1507 (RTM) Pro & Ent
10240
No
1511 Pro & Ent
10586
No
1607 Pro & Ent
14393
No
1703 Pro & Ent
15063
No
1709 Pro & Ent
16299
Yes
1803 Pro  & Ent
17134
Yes
1809 Pro & Ent
17763
Yes

Feel free to check your support status of Windows 10 with this report: https://www.itninja.com/blog/view/kace-sma-windows-10-end-of-life-report


Hi all,

 

It’s a long time since I have posted a blog here. Today I want to share with you my KITLOCKER (KACE & Bitlocker ;) ) stuff. In this article you can download several individual KACE-packages. You can download all of them here:  DOWNLOAD

If you need assistance in importing these files to your KACE SMA feel free to contact your local partner, your local sales rep or have a look to this KB article: https://support.quest.com/kace-systems-management-appliance/kb/116949/how-to-import-and-export-resources

 

First: These scripts are Win10 only and tested with x64 1809 Pro and Ent. Also, you need to have an TPM Module in your devices which needs to be activated and the OS needs to be the owner (default in Win10)! You can double check this in your KACE SMA device inventory:

bitlocker_00.png

 

My scenario is that Win10 devices should use Bitlocker with Aes256 bit to secure the hard disk. The disk should be automatically unlocked by TPM during boot (no password needed). If something went wrong or the hardware has changed there should be a recovery key which can be entered. This key should be stored in KACE SMA and not in AD. Also, there should be no GPO involved.

 

The Bitlocker information in your device inventory should look like this if there is currently nothing set up on your device:

bitlocker_01.png

 

To start we should first create a smart label which groups all devices where a TPM module is ready for the use with Bitlocker and no encryption technology is used. You can download the ready to use KACE-package here: DOWNLOAD

 

TPM Based Bitlocker Ready

bitlocker_02.png


Of course, you could add a filter like “OS Name” contains “Windows 10” (or any other filter which matches your environment) to make sure that only your clients will get Bitlocker enabled.

 

KACE SMA will now put all the devices where we can enable Bitlocker into this Label. There is a simple PowerShell command which will enable Bitlocker and start the encryption. Also it will add a recovery password as a key protector which will be needed in case of hardware changes. You can run this by a daily schedule and all devices which already have Bitlocker enabled will not be affected if you use the “TPM Based Bitlocker Ready” smart label which I have shown above. You can download a ready to use KACE-Script here: DOWNLOAD

 

[TW] Bitlocker enable TPM  & Password

Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest
sleep -Seconds 15
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

This will start the encryption process of the C: drive. The user can’t abort it and it will also survive reboots.

bitlocker_03.png

 

You can also check the actual state in your KACE SMA device inventory:


 

If the encryption has been completed by the device, it will automatically fall out of the “TPM Based Bitlocker Ready” smart label. Now we have a secured hard disk which will be automatically unlocked during the bootup by the TPM module. Now we need a custom inventory to store all the key protector information’s in our SMA device inventory. This can be done with a simple custom inventory rule. You can download the ready to use KACE-package here: DOWNLOAD

 

Inventory: Bitlocker Recovery

Get-BitLockerVolume).KeyProtector


Good to know is that devices which need the recovery key will display a screen where users can see the ID of the numerical password. If they call your helpdesk team and don’t know which computer it is they can give you the ID and you can search for it in your KACE SMA device inventory or build a report for that.


 bitlocker_08.png

 

If you want to be sure that clients will always have a recovery password as a key protector you can additionally create a smart label. This will check the right key protectors after every inventory of the device. This could be used for running a script which will then add a recovery password as a key protector. This could be useful if admins change configurations local on the endpoints. The smart label can be downloaded here: DOWNLOAD


Bitlocker missing Protector


All clients which fall into this label can then run the following KACE script on a daily schedule. You can download the script here: DOWNLOAD


[TW] Bitlocker add protector

Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector


This is the basic setup you can use to manage your hard disk encryption for your endpoints. You can think about creating notification which will alert you if a device has Bitlocker missing or a wrong configuration. I hope that this article helps you, creating your own KITLOCKER strategy. If there is anything unclear feel free to use the comment section.

 

Kind Regards

Timo

 

View comments (5)

KACE UserKon 2018

KACE UserKon, the only conference dedicated exclusively to KACE users like you, is returning in May 2018! That’s why we’re seeking your input to influence the agenda. For example, do you want sessions on topics like:

 

  • Integrating and automating with LDAP integration?

  • Maximizing reporting?

  • Managing Windows 10 updates?

  • Managing your mobile devices?

  • Enhanced security and compliance?

 

Let us know in this 5-minute survey


We look forward to seeing you at KACE UserKon 2018!

  KACE IS BACK!

View comments (10)

Please turn down the lights, that interface theme is just too bright!

Recently, as you may have noticed, KACE has released new versions of the appliances with K1000 KACE Systems Management Appliance (KSMA) 8.0 and K2000 KACE Systems Deployment Appliance (KSDA) 5.0.  One of the changes for both appliances that was delivered is change to the webui theme color, it's bright white with splashes of orange for the logo and lines.  For some users it has become a sensitive issue with how bright it is against the eyes. 

 

Fantastic feedback have been provided under the following Uservoice:

KACE Systems Management Appliance
KACE Systems Deployment Appliance

The great news is that the feature to add the option for a darker theme is being planned for both appliances.  Please continue to add your votes and comments to the Uservoice links above.  Unfortunately, the enhanced feature will not arrive fast enough!  What can we techies, who may have to work with huge monitors in a dark room, to do?  Wear sunscreen lotion and shades??

 

Luckily, there are numerous workarounds available while we wait for the official release of the enhanced feature theme for the webui.  Below are some suggestions but definitely not an exhaustive list to try out.  Several browsers are mentioned below, but not all.  Keep in mind that at this time KACE appliance webui currently only supports Internet Explorer, Google Chrome and Mozilla Firefox.  That does not mean other browsers will not work when accessing the KACE appliance, but it's use at your own risk.  Unfortunately, I was unable to find an easy method to invert the color for Internet Explorer or Microsoft Edge by itself, it was all (desktop) or nothing.  Below are some options with SIMPLE STEPS to invert color for a specific browser or the entire operating system.  Hopefully, this can be a useful resource to find a temporary workaround solution.

 

Windows 10 operating system "Magnifier":

  • If you have serious issues with bright screens and your eyes just can't handle it, Microsoft does offer the Magnifier option that's built into the operating system. 
  • Magnifier includes different settings to help suit your needs. To get to them, select Start  > Settings  > Ease of Access  > Magnifier . You can also press Windows logo key  + Ctrl + M or select the Settings Magnifier options button button on the Magnifier toolbar.
  • It does not just inverse the color of the browser, it will invert the entire desktop color scheme.  So, it doesn't really matter what browser type you end up using as the color will be inverted.  The look is pretty cool, you can easily check the box "Turn on color inversion" (in 1709 it is called "Invert colors") as a test to see what it looks like and uncheck it if you dislike it.

nz2t5m.png

Google Chrome:

  • One of the most popular browsers used today, it has multiple methods to invert the color of the browser.

rV6a1r.png

Scroll down to the bottom of the Extensions list and click on "Get more extensions" to view the chrome web store.

yWuklg.png

In the search field type in "high contrast" then press enter, this should display the results for several color scheme/theme options.  I just picked the High Contrast (Google Accessibility) created by Google, which works well, but there are other options from the list you can try out. 


ZoPoIb.png

After you click on ADD TO CHROME, an icon will appear on the upper right corner of the Chrome browser.

81Nmau.png
The High Contrast will be enabled by default using Inverted Color.
vvD8hQ.png

Mozilla Firefox:

This browser has Add-ons option to invert colors, here is the link for one that I found that works:

https://addons.mozilla.org/en-US/firefox/addon/invert-colors/

 

Opera:

While Opera is not an officially supported browser, I use as many different types of browsers as possible.  Opera has a few add-on extensions, but this is the one that I found to work:

https://addons.opera.com/en/extensions/details/night-mode-2/?display=en

 

Vivaldi browser currently does not seem to have any extensions that can invert the color of the specific browser.


View comments (1)

Ensuring Rock-Solid Unified Endpoint Management


How solid is your approach to unified endpoint management? Our own UEM solutions engineer Bruce Johnson is teaming up with Microsoft MVP Nathan O’Bryan to help you strengthen your strategy. In this whitepaper, you’ll learn best practices for managing all the devices connected to your infrastructure.

Nathan and Bruce will discuss:

  • Unified endpoint management and what it means
  • Considerations for consistent management of all your devices, including mobile device management
  • Potential pitfalls of combining management of diverse devices
  • Mobile device management software and mobile device management solutions


Be the first to comment

KACE UserKon 2018 - Register before 1/31 and get $300 off

Click the link below to get more information on the promo, registration, and the conference:
KACE UserKon, 2018
Be the first to comment
Showing 1 - 5 of 30 results

Top Contributors

Talk About Security