Table of Contents
Stop PowerShell from interacting with the BitLocker Application | Removing PowerShell's access to the BitLocker Module
Bitlocker can be used to encrypt your drives from PowerShell, leaving you unable to access them after a reboot.
Stop PowerShell from interacting with the BitLocker Application
Through our Suggested Policies, you can prevent PowerShell from calling the BitLocker application.
Navigate to the ‘Modules’ dropdown, then select ‘Application Control’.
Select the ‘Policies’ tab in the top right corner of the page.
From within the policies page, navigate to the hamburger menu on the top left side of the page. This can be found to the right of the ‘New Tag’ button. Once this button is selected, a ‘Policy Management’ menu will open. From here, select the option labeled ‘ThreatLocker Suggested Policies’.
Selecting this will open a pop-up window with all the ThreatLocker Recommended policies.
To apply a policy to a specific group, select the dropdown at the top of the page titled ‘Select target Organizations or Groups to insert selected policies’. For this example, we will be applying it to the entire organization. Select the dropdown, then select the desired organization(s) to apply this to.
Note: You can also select the dropdown arrows to the left of the organization names to select individual Computer Groups, or type the name of the individual workstation to apply the policy to only one machine.
Select the ‘filter By’ dropdown and select ‘Ringfence Templates’, then select ‘PowerShell (Ringfenced)' from the list of suggested policies. Once done, select the ‘Add 1 Suggested Policy’ button above the list of Ringfenced templates. This will create a new policy for the organization, computer group, or computer under which you choose to permit the policy.
After this, use the 'Deploy Policies' button at the top-right portion of the page to deploy your policies.
This will prevent PowerShell from calling the Application and running the manage-bde.exe commands.
Removing PowerShell's access to the BitLocker Module
In addition to the above Ringfencing policy, you must create a Storage Policy to remove access to the Bitlocker PowerShell module and the Enable-Bitlocker commands.
Navigate to the ‘Modules’ dropdown, then select ‘Storage Control’.
Select the ‘New Policy’ button at the top left corner of the page to create a new policy.
This will open a ‘Create Storage Policy’ side panel.
Navigate to the ‘Details’ section and name your Storage Policy.
By default, the Storage Policy is set at the Entire Organization level; however, you can change it to apply to a global group, computer group, or individual computer.
Within the conditions section, confirm that it is set to ‘Read/Write’, then select the ‘Selected File Paths’ option so that specific file paths can be entered.
When ‘Selected File Paths’ is chosen, an area to enter specific file paths will appear. Enter the following into the text box and select 'Add':
c:\windows\system32\windowspowershell\v1.0\modules\bitlocker\*
Within the ‘Actions’ section, be sure to switch the policy from ‘Permit’ to ‘Deny’. Once this has been changed, select ‘Create’ at the bottom of the page.
Deploy policies once this is completed.
This will now prevent PowerShell from gaining access to the BitLocker module.