There are two parts to this guide. Getting the bitlocker status of drives into Altiris and getting the recovery key into Altiris. These are custom inventories so we can start them both off with creating a custom Data Class.
Lets start with the Expanded bitlocker status. I had found an article on this site before that would give you the protection status only which was useful but I wanted more information. The Custom data class I use has 7 columns:
I then used the script below to gather the information for all disks in the system. Make sure to replace the GUID below with the one from your custom data class:
'Following is a sample custom inventory script gathering information about processor of a machine and posting data
'to NS using Altiris NSE Component
'===================================================================================================================
' On Error Resume Next
'Create instance of Wbem service object and connect to namespace
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root/CIMv2/Security/MicrosoftVolumeEncryption")
'Fire WMI Query
Set objCIMObj = objWMIService.ExecQuery("select * from Win32_EncryptableVolume",,48)
'Set objCIMObj = objWMIService.ExecQuery("Select * from Win32_EncryptableVolume " & "Where DriveLetter = 'C:'")
'===================================================================================================================
'Create instance of Altiris NSE component
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
' Set the header data of the NSE
' Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1
'Create Inventory data block. Here assumption is that the data class with below guid is already configured on server
dim objDCInstance
set objDCInstance = nse.AddDataClass ("{dd92d9ec-861d-4879-8af3-8b6cf9deb510}")
dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)
Dim arEncryptionMethod
arEncryptionMethod = Array("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256")
Dim arProtectionStatus
arProtectionStatus = Array("Protection Off", "Protection On", "Protection Unknown")
Dim arConversionStatus
arConversionStatus = Array("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused")
Dim arLockStatus
arLockStatus = Array("Unlocked", "Locked")
'For each objInfo in objCIMObj
For Each objItem in objCIMObj
Dim EncryptionMethod
Dim ProtectionStatus
Dim ConversionStatus
Dim EncryptionPercentage 'Percentage of the volume that is encrypted
Dim VolumeKeyProtectorID
Dim LockStatus
objItem.GetEncryptionMethod EncryptionMethod
objItem.GetProtectionStatus ProtectionStatus
objItem.GetConversionStatus ConversionStatus, EncryptionPercentage
objItem.GetKeyProtectors 0,VolumeKeyProtectorID
objItem.GetLockStatus LockStatus
'Add a new row
dim objDataRow
set objDataRow = objDataClass.AddRow
'Set columns
objDataRow.SetField 0, objItem.DeviceID
objDataRow.SetField 1, objItem.DriveLetter
objDataRow.SetField 2, arEncryptionMethod(EncryptionMethod)
objDataRow.SetField 3, arProtectionStatus(ProtectionStatus)
objDataRow.SetField 4, arConversionStatus(ConversionStatus)
objDataRow.SetField 5, EncryptionPercentage & "%"
objDataRow.SetField 6, arLockStatus(LockStatus)
Next
nse.SendQueued
Results:
The next script and custom data class gather the recovery keys. Once again we start with a custom data class:
Then the script:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root/CIMv2/Security/MicrosoftVolumeEncryption")
Set objCIMObj = objWMIService.ExecQuery("select * from Win32_EncryptableVolume",,48)
'Set objCIMObj = objWMIService.ExecQuery("Select * from Win32_EncryptableVolume " & "Where DriveLetter = C:'")
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1
dim objDCInstance
set objDCInstance = nse.AddDataClass ("{0683de19-a007-4eba-9ad5-32748a52ef14}")
dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)
For Each objItem in objCIMObj
Set oShell = WScript.CreateObject("WSCript.shell")
oShell.run"cmd /K manage-bde -protectors -get """ &objitem.driveletter& """ >C:\keys.txt & exit",0,True
'Const ForReading = 1
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\keys.txt", 1)
Do Until objFile.AtEndOfStream
strNextLine = objFile.ReadLine
If Len(strNextLine) > 0 Then
strLine = strNextLine
End If
Loop
objFile.Close
'Wscript.Echo strLine
dim objDataRow
set objDataRow = objDataClass.AddRow
objDataRow.SetField 0, objItem.DriveLetter
objDataRow.SetField 1, strLine
Next
oShell.run"cmd /K del c:\keys.txt & exit",0,True
nse.SendQueued
Then the results:
I hope this article helps you manage bitlocker info a little better. We are currently working on a way to move the data over into the Asset side so it's not quite as volatile.