Video Screencast Help

How to gather bitlocker status?

Created: 01 Mar 2013 • Updated: 07 Mar 2013 | 10 comments
This issue has been solved. See solution.

Can anyone help me figure out how to gather bitlocker status for our laptops?

I found these, but have never set up a custom inventory before and support won't help me.

https://www-secure.symantec.com/connect/downloads/...

http://www.symantec.com/connect/articles/introduction-custom-inventory-notification-server-70

I set up a data class called Win32_EncryptableVolume with one attribute (string) called Encryption.  I took down the GUID of the class and created a task with the script from the link above, putting in my custom GUID.

No dice. 

Would appreciate if anyone can offer advice!

Comments 10 CommentsJump to latest comment

Sally5432's picture

bump

---
Don't forget to mark posts as helpful if they are, and mark answers as solutions.

Patrick Schmid's picture

I have different things setup related to Bitlocker:

 

BitlockerStatus

Custom Inventory thats gets infos if Drive C and D have bitlocker enabled.

 

BitlockerKeys

Custom Inventory that gathers the BitlockerKeys from Drive C and D (and History enabled for this table)

 

I assume you just need BitlockerStatus, I created it like that:

1. Custom Inventory

1.1 Settings -> All Settings -> Discovery and Inventory -> Inventory Solution -> Manage Custom Data Classes

1.2 *New data class: I called it "H_Bitlocker_Status" with following attributes: BitlockerDriveCEnabled and BitlockerDriveDEnabled

configured like: Data type = int, Maximum size = 4, Key = No, Data required = No (do not enable "multi rows")

1.2 Save it, Click on the created Data class and click the property button to note the GUID

2. Gather Task

replace the "myDataClass" GUID with your

2.1 Create a Task (vbscript) - with the configuration you like (Hidden....)

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_EncryptableVolume",,48)

'Here, the assumption is that the data class with below guid is already configured on server.
myDataClass = "{b4b65e2c-80ea-486d-8c1f-55e316b91cfc}"

'========================================================================================
'Create instance of Altiris NSE component
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

' Set the header data of the NSE
' Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

'Create Inventory data block.
dim objDCInstance
set objDCInstance = nse.AddDataClass (myDataClass)

dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)

'Add a new row
dim objDataRow
set objDataRow = objDataClass.AddRow

Dim arEncryptionMethod
arEncryptionMethod = Array("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256")

Dim arProtectionStatus
arProtectionStatus = Array("Protection Off", "Protection On", "Protection Unknown")

Dim arConversionStatus
arConversionStatus = Array("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused")

Dim arLockStatus
arLockStatus = Array("Unlocked", "Locked")

For Each objItem in colItems
 Dim EncryptionMethod
 Dim ProtectionStatus
 Dim ConversionStatus
 Dim EncryptionPercentage 'Percentage of the volume that is encrypted
 Dim VolumeKeyProtectorID
 Dim LockStatus
 
 objItem.GetEncryptionMethod EncryptionMethod
 objItem.GetProtectionStatus ProtectionStatus
 objItem.GetConversionStatus ConversionStatus, EncryptionPercentage
 objItem.GetKeyProtectors 0,VolumeKeyProtectorID
 objItem.GetLockStatus LockStatus
 
 if objItem.DriveLetter = "C:" Then
 if arProtectionStatus(ProtectionStatus) = "Protection On" then
 objDataRow.SetField 0, 1
 else
 objDataRow.SetField 0, 0
 End If
 End If
 
  if objItem.DriveLetter = "D:" Then
 if arProtectionStatus(ProtectionStatus) = "Protection On" then
 objDataRow.SetField 1, 1
 else
 objDataRow.SetField 1, 0
 End If
 End If
 
next
nse.SendQueued

3. Policy

3.1 Create a Policy to do the Custom Inventory with a Schedule that you like

 

 

 

You may just have a C Drive or different letters, so some adjust maybe must be made.

 

Hope this helps and I didn't forget a step

Sally5432's picture

Thanks Patrick, seems to work (at least I can run it with no errors on a test computer).

Any chance you have a report built to show encryption status once collected as part of this custom data class? Maybe I can get it if I play with IT Analytics.

---
Don't forget to mark posts as helpful if they are, and mark answers as solutions.

Marcelo D. Pessoa's picture

Maybe you can with this article for input this dataclass in ITA:

https://www-secure.symantec.com/connect/articles/i...

Patrick Schmid's picture

I created a Filter because I use it for several things (Reporting, Automation Policies, Policies etc)

1. Filter

Create a Filter

Change Filter Definition to Query Mode: Query Builder

Select Filter Expressions

Switch to advanced

Reselect "And"

Select {0}: Equals

for {0} Select  "Field" and selecht on the right the Custom Table "H_Bitlocker....."

for {1} Select "Integer" on the right 1

Save the filter

Now you should see now the Devices that have Bitlocker on C or D drive (depends which Custom Table you selected).

This filter you now can use for your polices that targets bitlocker encrypted devices (we have mixed environment with and without bitlocker)

 

2. Report

Create a Custom Report with this KB Article: http://www.symantec.com/business/support/index?page=content&id=HOWTO35873

And select your Bitlocker Filter if you're done.

 

If you just want to have a report you can do it like this:

Reports -> All Reports -> Your Folder -> New Computer Report

Select Tab "Fields"

Add -> Your Custom Table name (and others if you like for ex Primary User)

Select Filter Expressions

Switch to advanced

Reselect "And"

Select {0}: Equals

for {0} Select "Field" and selecht on the right the Custom Table "H_Bitlocker....."

for {1} Select "Integer" on the right 1

Save the report and you should have the results

This gives just all the encrypted devices, if you want to have all devices just delete the "Filter Expression".

 

SOLUTION
Sally5432's picture

Patrick, thanks again for your time.  I wish Symantec allowed you to donate Symantec points, I'd give you all of mine.

Unfortunately no dice here with the filter or report.  For the filter after I select Field, I don't see the custom table anywhere.  Sam ething when I do the report, click fields, add, I don't see my custom table name.  I went back and rechecked everything in your directions and will include screenshots below.  

I did some googling and maybe custom data classes don't work without Asset Management.  We use CMS 7.1 but don't use asset management.  Pretty disappointing, if that's the case.

1.PNG 2.PNG 3.PNG

---
Don't forget to mark posts as helpful if they are, and mark answers as solutions.

Patrick Schmid's picture

Sally no problem :) hm we have Asset Management but it should work without (we had filter reports in 7.0 without Asset Mgmt)

Could you check if you go via Manage - Resource on the Computer where you run the task and see if there is an entry to: View -> Inventory -> Data Classes -> Inventory -> Custom -> do you see the H_Bitlocker_Status? If not then something went wrong from the script task side (maybe wrong GUID did you put the b077...?)

This table gets just created on the ressource if the task returns data

 

 

Edit: For troubleshooting this might help

put in some wscript.echo to see if it finds "C:" and activate save script output in the task

if objItem.DriveLetter = "C:" Then

wscript.echo "Found C:"
if arProtectionStatus(ProtectionStatus) = "Protection On" then
objDataRow.SetField 0, 1

wscript.echo "Enabled"
else
objDataRow.SetField 0, 0

wscript.echo "Disabled"
End If
End If

Sally5432's picture

Looks like at View -> Inventory -> Data Classes -> Inventory -> I don't have a custom available :(

 

This HOWTO mentions Asset Mgmt and "CMDB Solution" which I didn't even know existed.

http://www.symantec.com/business/support/index?pag...

dataclass.PNG

---
Don't forget to mark posts as helpful if they are, and mark answers as solutions.

Patrick Schmid's picture

I used the Custom classes via Manage Custom Data Classes since 7.0 without CMDB Solution and Asset Mgmt, so something must went wrong with the script :/

 Link: http://www.symantec.com/business/support/index?page=content&id=HOWTO10487

Did you check with the wscript.echo's (adjustments in the task)? Output should be like

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Found C:
Enabled
 

 

Sally5432's picture

duh that was it. I tried to remove the D part because our users only have C drives... I must have removed too much.  See it under data classes now with accurate data provided.  

 

report works perfectly - thanks again!

---
Don't forget to mark posts as helpful if they are, and mark answers as solutions.