Video Screencast Help

Bitlocker Information from Altiris 7.x

Created: 10 Apr 2013 | 3 comments
Language Translations
JAunmc's picture
+3 3 Votes
Login to vote

There are two parts to this guide. Getting the bitlocker status of drives into Altiris and getting the recovery key into Altiris.  These are custom inventories so we can start them both off with creating a custom Data Class. 

Lets start with the Expanded bitlocker status. I had found an article on this site before that would give you the protection status only which was useful but I wanted more information.  The Custom data class I use has 7 columns:

expanded bitlocker dadta class.jpg

I then used the script below to gather the information for all disks in the system. Make sure to replace the GUID below with the one from your custom data class:

'Following is a sample custom inventory script gathering information about processor of a machine and posting data
'to NS using Altiris NSE Component
'===================================================================================================================
'      On Error Resume Next

'Create instance of Wbem service object and connect to namespace
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root/CIMv2/Security/MicrosoftVolumeEncryption")

'Fire WMI Query
Set objCIMObj = objWMIService.ExecQuery("select * from Win32_EncryptableVolume",,48)
'Set objCIMObj = objWMIService.ExecQuery("Select * from Win32_EncryptableVolume " & "Where DriveLetter = 'C:'")

'===================================================================================================================

'Create instance of Altiris NSE component
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

' Set the header data of the NSE
' Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

'Create Inventory data block. Here assumption is that the data class with below guid is already configured on server
dim objDCInstance
set objDCInstance = nse.AddDataClass ("{dd92d9ec-861d-4879-8af3-8b6cf9deb510}")

dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)

Dim arEncryptionMethod

arEncryptionMethod = Array("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256")

Dim arProtectionStatus

arProtectionStatus = Array("Protection Off", "Protection On", "Protection Unknown")

Dim arConversionStatus

arConversionStatus = Array("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused")

Dim arLockStatus

arLockStatus = Array("Unlocked", "Locked")

'For each objInfo in objCIMObj
For Each objItem in objCIMObj
 
 Dim EncryptionMethod

 Dim ProtectionStatus

 Dim ConversionStatus

 Dim EncryptionPercentage 'Percentage of the volume that is encrypted

 Dim VolumeKeyProtectorID

 Dim LockStatus

 objItem.GetEncryptionMethod EncryptionMethod
 objItem.GetProtectionStatus ProtectionStatus
 objItem.GetConversionStatus ConversionStatus, EncryptionPercentage
 objItem.GetKeyProtectors 0,VolumeKeyProtectorID
 objItem.GetLockStatus LockStatus

 'Add a new row
dim objDataRow
set objDataRow = objDataClass.AddRow
'Set columns
objDataRow.SetField 0, objItem.DeviceID
objDataRow.SetField 1, objItem.DriveLetter
objDataRow.SetField 2, arEncryptionMethod(EncryptionMethod)
objDataRow.SetField 3, arProtectionStatus(ProtectionStatus)
objDataRow.SetField 4, arConversionStatus(ConversionStatus)
objDataRow.SetField 5, EncryptionPercentage & "%"
objDataRow.SetField 6, arLockStatus(LockStatus)
Next

nse.SendQueued

Results:

expanded bitlocker status.JPG

 

The next script and custom data class gather the recovery keys.  Once again we start with a custom data class:

Bitlocker recovery data class.JPG

Then the script:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root/CIMv2/Security/MicrosoftVolumeEncryption")

Set objCIMObj = objWMIService.ExecQuery("select * from Win32_EncryptableVolume",,48)
'Set objCIMObj = objWMIService.ExecQuery("Select * from Win32_EncryptableVolume " & "Where DriveLetter = C:'")

dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

dim objDCInstance
set objDCInstance = nse.AddDataClass ("{0683de19-a007-4eba-9ad5-32748a52ef14}")

dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)
 
For Each objItem in objCIMObj
 
Set oShell = WScript.CreateObject("WSCript.shell")
oShell.run"cmd /K manage-bde -protectors -get """ &objitem.driveletter& """ >C:\keys.txt & exit",0,True

'Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\keys.txt", 1)

Do Until objFile.AtEndOfStream
    strNextLine = objFile.ReadLine
    If Len(strNextLine) > 0 Then
        strLine = strNextLine
    End If
Loop

objFile.Close

'Wscript.Echo strLine

dim objDataRow
set objDataRow = objDataClass.AddRow

objDataRow.SetField 0, objItem.DriveLetter
objDataRow.SetField 1, strLine
Next

oShell.run"cmd /K del c:\keys.txt & exit",0,True

nse.SendQueued

 

Then the results:

Bitlocker Recovery2.JPG

I hope this article helps you manage bitlocker info a little better.  We are currently working on a way to move the data over into the Asset side so it's not quite as volatile.

Comments 3 CommentsJump to latest comment

HighTower's picture

This is great!  Thanks for putting this article together as it solved a major need for me.

I'd just add that be sure to check ON the "Allow multiple rows from a single computer resource" as this will return back information on all attached drives.  Remember that if you re-save your custom Data Class then a new GUID will be assigned so the inventory script has to be updated with the new GUID.

+1
Login to vote
Tal Fisher's picture

This is a great start. Please do not stop here. How can symantec make Bitlocker and TPM Enabler/Status function native within Altiris?

 

Tal Fisher

+1
Login to vote
Tomasz Wozniak's picture

Great article. Thumb up from me!

I would only add that you can use the exact name of your custom inventory class instead of the guid.

So instead of

set objDCInstance = nse.AddDataClass ("{0683de19-a007-4eba-9ad5-32748a52ef14}")

you could use

set objDCInstance = nse.AddDataClass ("Expanded Bitlocker Status")

This way you do not need to worry about Guid anymore.

 

0
Login to vote