Remotely Encrypting and Locking Laptops for Rogue Employees

I have a client that has a couple of staff who are “loose cannons” and he’s asked me to “quietly” implement the ability to encrypt and lock all the local accounts on these 2 computers. It has to be without their knowledge because he is thinking of firing them and is sure they will steal the laptops and more importantly the data on them. He wants to call me, I flick the switch and its all done within a couple of minutes.

He wants to make sure that those laptops are unusable in anyt way to them if they do decide to steal them but usable to him should they do the right thing and return them.

Could someone please point in the direction of the best way to do this?

I was thinking of turning on Maintenance Mode, then activating BitLocker (Powershell Enable-Bitlocker) beforehand, sending the key to a Syncro custom field and giving it a couple of days to sort itself out. Then if required, lock all the local accounts when the client asks except an admin account we add.

Am I thinking too simply? We haven’t really implemented encryption or even anything of this nature for any clients on local drives as it hasn’t been required so I am lacking confidence in doing this properly and worried I’ll render them doorstops. Will BitLocker require local interaction? Is there a better way?

They are Windows 11 Pro.

Any assistance would be most appreciated.

Your probably on the right track. I would definitely roll out bitlocker to the machines and make sure the keys are backed up, then you can use a simple script to clear bitlocker keys and force shutdown.

foreach ($MountPoint in (Get-BitLockerVolume | Select-Object -ExpandProperty MountPoint -Unique)) {
    $KeyProtectors = (Get-BitLockerVolume -MountPoint $MountPoint).KeyProtector
    foreach($KeyProtector in $KeyProtectors){
        Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $KeyProtector.KeyProtectorId
shutdown -r -t 0 -f

This does not actually make the computer useless just requires wiping or replacing the hard drive. I think there may be some bios level lowjack options that would potentially allow you to lock the laptop at the hardware level if it ever came online that may be worth looking into and suggesting to your client if the Bitlocker solution doesn’t quite cover the bases.

1 Like

If it’s a Dell and you have Command | Update - you can remote set BIOS options also on scripting… A lot of enterprise-class devices have utils like this for Lenovo, Dell, etc.

I think the solution Jordan mentioned is good and cloud backup of the files would be also pretty reasonable… that way you trickle the files upstream and maybe only lose a day or so… even if they don’t return the notebooks… depends on how involved they want to get and the value of the data.

1 Like

Thank you Jordan, really appreciate the response and the time to write that script.

Sorry I wasn’t perfectly clear, and the tactic has changed a little at my prompting to something more subtle. We want it to look like a technical issue, I suggested having them bring the machines into the office for repair and check them out while we have them. He wants to protect possible evidence or even restore the laptop to use for them should either of them prove to be innocent or whistleblow on the other. So the drives must be able to be unencrypted, accounts reenabled and recovered into their former state exactly. But it still must be encrypted should they see through the ruse or get nervous and just bolt.

So to the consultants it should look like their account has been locked (I suggested tell them too many bad password attempts, probably a hacker trying to get in but failing), my client will plead ignorance and ask them to bring it in to me, we will then unlock the accounts and check out what’s going on, image the machines, then return and he will make a decision later.

They are HP’s laptops, locking them at BIOS level may be another way to handle it, just a BIOS level password that can’t be bypassed or overwritten instead of locking local accounts from Windows, would still need to encrypt the data though.

It’s all very complicated, glad I’m not in his situation.

Yep, so Bitlocker sounds like the way to go for data protection still. Do you have what you need for pushing that out in a script and backing up to Syncro?

Then you just need to prep a script to lock out all user accounts, and the one I pasted above. User account lockout should work to get the laptop brought in, but having the Bitlocker lock script ready to go once you know you have the key backed up.

Ps if you back up the keys to an asset custom fields make sure the asset is not assigned to the current user. There is some ticket workflow where all asset custom fields will be emailed to the assigned user.

I believe so, I’m more of a customer manager than a tech, struggling to get good tech staff at the moment but It’s time to pull the gloves off and get my hands dirty :wink: I coded in COBOL in the 80’s so I’m sure a little PowerShell won’t kill me :wink:

I have downloaded the community scripts around BitLocker and created a custom field in Syncro for each asset called “BitlockerKey”. I will complete the script from those examples and then test on a machine here. Once I have established I can lock down and then unlock to original state, I’ll release it to their machines.

Thank so much for confirming I was looking in the right place, nice to know I’m not completely missing the point ;).

EDIT: Also thanks for the tip about the workflow, thankfully we don’t have much automated email communications from Syncro apart from a follow up survey and internal notifications. I have some trust issues, particularly since I can’t for the life of me stop messages from Syncro going into spam or get the Leads module to work as it should, just makes more work for me than solves and I don’t have time.

Sounds good, if you run into any issues with your scripting feel free to post back.

Also not exactly sure what you want the leads module to do for you but if you make a post about what issues your having someone probably can give you some pointers if it’s possible to get it to do what you are looking for.

The laptops will be usable by replacing the drive.

Here’s another lockout script. Super dirty but worked for me when I needed it. You need to drop ntrights.exe to c:\temp. ntrights is an ancient utility from 2003 Resource Kit. Script changes bitlocker password to hunter2, then tries to enable bitlocker as well as adding “Users” group to “Deny logon locally” permission so only an admin can login. Script is made for Syncro but the only thing it uses its module is to send email.


Import-Module $env:SyncroModule

#start shutdown sequence with a nice message
cmd.exe --% /c shutdown /s /f /t 30 -c "This computer is being secured for shipping. Please send the computer back as soon as possible. Thank you."

#wipe cached logins
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount /t REG_SZ /d "0" /f

#create temp directory
cmd.exe --% /c if not exist "c:\temp" mkdir "c:\temp"

#save bitlocker key into text file
(Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword > C:\temp\bitlockerkeyc.txt

#no need to rush
Start-Sleep -Seconds 5

#get key from text file
[string] $bitlockerkey = Get-Content C:\temp\bitlockerkeyc.txt -raw

#change bitlocker password
$Volume = Get-CimInstance -Namespace root/CIMV2/Security/MicrosoftVolumeEncryption -ClassName Win32_EncryptableVolume -Filter 'DriveLetter="C:"'; $Protector = (Invoke-CimMethod -InputObject $Volume -MethodName GetKeyProtectors -Arguments @{ KeyProtectorType=8 }).VolumeKeyProtectorID[0]; Invoke-CimMethod -InputObject $Volume -MethodName ChangePassPhrase -Arguments @{ VolumeKeyProtectorID=$Protector; NewPassphrase='hunter2' }

#lock out system volume if Bitlocker is in fact installed
cmd.exe --% /c manage-bde -forcerecovery c:

#add "Users" group to "Deny logon locally" as a 2nd layer of protection. Create a 2nd script with "-r" switch to fix this or remove manually from gpedit.msc after logging in as admin
cmd.exe --% /c c:\temp\ntrights.exe +r SeDenyInteractiveLogonRight -u Users

#OPTIONAL - send email with bitlocker key, I had this send emails to a Teams channel
#Send-Email -To "" -Subject "$env:computername computer has been locked" -Body "If the computer has Bitlocker enabled here's the decryption key: $bitlockerkey. Or you can use this Bitlocker password: hunter2"

#remove text file with the key
cmd.exe --% /c del "c:\temp\bitlockerkeyc.txt"
1 Like

Thankyou everyone for your assistance, really appreciate it.

For next time would it be just as effective to turn on BitLocker with a PIN? I know TPN is on because they are Windows 11. There would be more code than below because I would also turn on TPN, clear the auth, check for the new key and write both PIN and BitLocker key to Asset Custom Fields but trying to build more knowledge around BitLocker and best practices.

$SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
Enable-BitLocker -MountPoint c: -Pin $SecureString -TPMandPinProtector

Being HP laptops, I could also add an admin password to the BIOS using their remote BIOS config utility but I would look at BIOS options on a case by case basis, due to different vendors.