TABLE OF CONTENTS

|

Bitlocker can be used to encrypt your drives from PowerShell, leaving you unable to access them after a reboot. 


STOP POWERSHELL FROM INTERACTING WITH THE BITLOCKER APPLICATION

Through our Suggested Policies, you can prevent PowerShell from calling the BitLocker application. 

Navigate to the ‘Modules’ dropdown, then select ‘Application Control’. 

 

 Select the ‘Policies’ tab in the top right corner of the page. 

 

From within the policies page, navigate to the hamburger menu on the top left side of the page. This can be found to the right of the ‘New Tag’ button. Once this button is selected, a ‘Policy Management’ menu will open. From here, select the option labeled ‘ThreatLocker Suggested Policies’. 



Selecting this will open a pop-up window with all the ThreatLocker Recommended policies. 



To apply a policy to a specific group, select the dropdown at the top of the page titled ‘Select target Organizations or Groups to insert selected policies’. For this example, we will be applying it to the entire organization. Select the dropdown, then select the desired organization(s) to apply this to. 

> Note: You can also select the dropdown arrows to the left of the organization names to select individual Computer Groups, or type the name of the individual workstation to apply the policy to only one machine. 

Select the ‘filter By’ dropdown and select ‘Ringfence Templates’, then select ‘PowerShell (Ringfenced)' from the list of suggested policies. Once done, select the ‘Add 1 Suggested Policy’ button above the list of Ringfenced templates. This will create a new policy for the organization, computer group, or computer under which you choose to permit the policy.  

After this, use the 'Deploy Policies' button at the top-right portion of the page to deploy your policies.

 

This will prevent PowerShell from calling the Application and running the manage-bde.exe commands. 


REMOVING POWERSHELL'S ACCESS TO THE BITLOCKER MODULE 

In addition to the above Ringfencing policy, you must create a Storage Policy to remove access to the Bitlocker PowerShell module and the Enable-Bitlocker commands. 

Navigate to the ‘Modules’ dropdown, then select ‘Storage Control’. 

  

Select the ‘New Policy’ button at the top left corner of the page to create a new policy. 

 

This will open a ‘Create Storage Policy’ side panel. 

 

Navigate to the ‘Details’ section and name your Storage Policy. 

 

By default, the Storage Policy is set at the Entire Organization level; however, you can change it to apply to a global group, computer group, or individual computer.

 

Within the conditions section, confirm that it is set to ‘Read/Write’, then select the ‘Selected File Paths’ option so that specific file paths can be entered. 

 

When ‘Selected File Paths’ is chosen, an area to enter specific file paths will appear. Enter the following into the text box and select 'Add': 

c:\windows\system32\windowspowershell\v1.0\modules\bitlocker\* 

 

 

Within the ‘Actions’ section, be sure to switch the policy from ‘Permit’ to ‘Deny’. Once this has been changed, select ‘Create’ at the bottom of the page. 

 

Deploy policies once this is completed. 

 

This will now prevent PowerShell from gaining access to the BitLocker module.

Preventing BitLocker from being Weaponized

Preventing the Exploitation of CVE-2023-23397

Microsoft Peer-to-Peer Updates

ThreatLocker Endpoint Security Quality Guarantee

Eaglesoft and ThreatLocker Computers Not Checking In

Applying Policies to Users or Active Directory Groups

Blocking and Permitting USB Drives

Computer failing to update

Create a Computer Group that does not learn

Creating a New Administrator

Default Computer Group Policies

Deploying Policies

Diagnosing an Application with an issue

Email Parsing Rules in ConnectWise Manage

Excluded Processes

Getting your Unique Identifier from ThreatLocker

Hermetic Wiper: ThreatLocker Recommended Policy

Log4J Vulnerability

Managing Application Definitions

Managing Application Policies

Merging Application Definitions

Notifications for Requests

Permitting All Signed Files in a Directory

Permitting Blocked Files

Restarting the ThreatLocker Agent

Setting the ThreatLocker Agent Update Channel 

Setting Up SMS Alerts for ThreatLocker Requests

Setting up the Active Directory Sync Service

ThreatLocker Application Control Agent Data Collection

ThreatLocker Override Codes

ThreatLocker Popup is not happening when something is blocked

ThreatLocker Stub Installer

Trusting an Application by a Certificate

Uninstalling the ThreatLocker Agent

Uninstalling the ThreatLocker Agent on Windows XP 

Updating the ThreatLocker Version on a Single Computer

User Permissions 

Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool

Using the Console App to Verify the ThreatLocker MAC Agent is Running

Why is an application that matches a built-in application being blocked?

Windows 11 Upgrade and ThreatLocker 

ThreatLocker Security and Privacy

Trial Expiry

The ThreatLocker Testing Environment

Allowing ThreatLockerService to Retrieve your AD Groups

Customer Deal Registration

ThreatLocker Mitigation and GoAnywhereMFT Zero-Day Exploit

Rubber Ducky Data Exfiltration | Google Bucket

Preventing the Exploitation of MOVEit Vulnerability (CVE-2023-34362)

Changes to Elevation in ThreatLocker Version 8.2

Browser Extensions Affecting the ThreatLocker Testing Environment

Retrieving Your Computer ID

ThreatLocker Agent Tray

Protecting Fileservers While Allowing Remote Machines to Access Shared Files



Browser Extensions Affecting ThreatLocker Portal Performance

How to Use .NET Regex Within ThreatLocker

SSL Inspection

ThreatLocker Health Center and Health Report

Portal 2.0.1 Maintenance Mode Permission Changes

Guide to the TLProxyTester Application

Configuring Defender Virus & Protection Settings using Configuration Manager

Controlling Access to M365 Resources Using Conditional Access and Named Locations

Preventing BitLocker from being Weaponized

Table of Contents

Stop PowerShell from interacting with the BitLocker Application

Removing PowerShell's access to the BitLocker Module