DataLocker PortBlocker

Mass Deployment 1.0



Installation

The portblocker_setup.exe installer will deploy three key parts to the target workstation.  The three parts consist of a Device Driver, Windows Service, and a Windows Application that the user can interact with. Installation will require local admin privileges to complete the process, and is recommended to run as the system account to avoid UAC prompts. When calling the installer the /S switch can be used for a silent installation on new installs. Once PortBlocker is installed, all mass storage type devices will be blocked. Installation deployment can be done with a simple login script, like the example below, or with third party tools. It is important that Windows 7 deployments are validated against Microsoft Security Advisory 3033929 to allow the SHA256 certificate of the driver to be recognized. The kb2921916 hotfix is also required for silent deployments on Windows 7 to allow for the DataLocker certificate to be trusted.  


Registration

Registration is needed before devices can be whitelisted. When registration parameters are successfully passed to the installer, PortBlocker will automatically register after installation.  The switches used for registration is as follows: 


/url <SafeConsoleConnectionToken>: the SafeConsole connection token

/eula 1: Accept the end user license agreement on behalf of the user

/user <UniqueToken>: OPTIONAL, register the PortBlocker Install to a specific user already in SafeConsole. 


It is recommended that the SafeConsole Server be configured with both unique token and admin approval disabled. This will allow a simple registration process for the end user.  



Requirements

Windows 10 and Windows 7

SafeConsole Connection Token, ex: https://server.safeconsolecloud.io/connect

Public server share to host installer, ex: \\nas\share\portblocker_setup.exe

Windows 7 only

KB3033929 and KB2921916 hotfixes installed

DataLocker Code Signing Cert in Trusted Publishers - Use instructions provided by Microsoft to install DataLocker's certificate to all Windows 7 computers Trusted Publishers store before attempting deployment to avoid additional pop ups during install.


Example

Save this powershell script then link it to a group policy by going to Group Policy -> Computer Configuration -> Windows Settings -> Scripts -> Startup. User login scripts are also possible. 


# IMPORTANT note for Windows 7 Deployments
# Please verify that both KB3033929 and KB2921916 are installed. 
# These hotfixes allow for SHA2 signed device drivers and the fix for remembering trusted publisher respectively
# Both are needed for silent deployments. 
# This Example script is intended for local execution by means of a login type script




# Location of exe, such as a public network share
Set-Variable -Name "installer" -Value "\\nas\share\portblocker_setup.exe"

# SafeConsole Connection URL
Set-Variable -Name "safeConsoleURL" -Value '"https://server.safeconsolecloud.io/connect"'

# Manually specify which version to update to. This can be found by right clicking on the installer exe and 
# clicking properties and going to details. Example String would be "1.0.0.99". If not defined, this script will
# automatically pull the version number from the installer, this can slow down execution and is not recommended for
# remote deployments or login scripts that execute each time. 
Set-Variable -Name "installerVer" -Value ""


If ((Get-WmiObject Win32_OperatingSystem).OSArchitecture -eq '64-bit') 
{ 
  $installedLocation = "C:\Program Files (x86)\DataLocker\PortBlocker\client\PortBlocker.exe"
}
Else 
{ 
  $installedLocation = "C:\Program Files\DataLocker\PortBlocker\client\PortBlocker.exe" 
}

if (test-path $installedLocation) 
{
  $currentVer = ((Get-Command $installedLocation).Version)
  if ($installerVer -eq "") {$installerVer = ((Get-Command $installer).Version)}
  if ([Version]$installerVer -gt $currentVer) {Start-Process $installer -ArgumentList "/S /eula 1 /url $safeConsoleURL"}
}
Else
{
    if( [System.Environment]::OSVersion.Version.Major -eq "10" )
    {
        Start-Process $installer -ArgumentList "/S /eula 1 /url $safeConsoleURL"
    }
    Else
    {
        $cert1 = dir -Path cert:\LocalMachine\TrustedPublisher | Where-Object {$_.Thumbprint -eq "BBB206ABFB9DFE22EFF2696DBB1CAA8DB27D2893"}        
        $hotfix1 = Get-Hotfix KB2921916
        if ($hotfix1 -and $cert1)
        {
            Start-Process $installer -ArgumentList "/S /eula 1 /url $safeConsoleURL"
        }
    }
}