IT Management Suite

  • Private Community
Back to discussions
Expand all | Collapse all

BitLocker Status

  • 1.  BitLocker Status

    Posted Dec 12, 2022 03:58 PM
    Can the following KB article be adapted for Altiris 8.x?  I'm only running 8.1 and just realized that the article mentions 7.x (and I thought my version was super old...hehe).

    Inventory BitLocker Encryption Status of Drives and Computers
    Broadcom remove preview
    Inventory BitLocker Encryption Status of Drives and Computers
    Resolution Custom inventory can be used to detect the encryption status of each drive on a computer by querying WMI. The Custom Inventory script presented here was adapted from http://www.symantec.com/connect/articles/bitlocker-information-altiris-7x. In addition, this article presents a custom report that displays the custom inventory data and shows which computers and drives are encrypted.
    View this on Broadcom >


  • 2.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 13, 2022 10:24 AM
    Hi Clint,

    This article should be still applicable to ITMS 8.x. At least I was able to follow mentioned steps and custom inventory task returned some data, created SQL report also displayed it. Do you observe some issue? May you please provide details what step from this KB article does not work for your 8.1?

    Thanks, 
    Roman
    Original Message


  • 3.  RE: BitLocker Status

    Posted Dec 13, 2022 12:30 PM
    Hi Roman,

    I just did a Quick Run but the task failed (according to the SMC) on all computers I tried it on.  The report's blank where the only thing I changed in the vbscript was the GUID for myDataClass.  Is there somewhere I could check that'd give more details on why the vbscript task failed?

    Also, the following caught my eye in the script since it specifically mentions 7.1/7.5 whereas I'm running 8.1.  If this NS GUID is different for 8.1, where do I find it?

    ' This GUID for the NS is the same for all versions of 7.1 and 7.5
    nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"

    Clint
    Original Message


  • 4.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 16, 2022 04:02 AM
    Edited by Roman Vassiljev Dec 16, 2022 04:03 AM
    Hi Clint,

    You may check agent logs, located under C:\ProgramData\Symantec\Symantec Agent\Logs on endpoint where task is running to see details why vbscript is failed.
    If script is executed on endpoint successfully and issue occurs during processing results, then please check logs on server side using Altiris Log Viewer utility(it is installed with ITMS)
    BTW may you please attach your actual script here? Now it seems that script has some issue and VBS is failed.
    nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}" should work for 8.x.

    Thanks,
    Roman
    Original Message


  • 5.  RE: BitLocker Status

    Posted Dec 16, 2022 04:08 PM
    Here's a copy of the vbscript text directly from the job I created.  Again, the only thing I changed from the original article was the myDataClass value.

    On Error Resume Next

    'Call WMI for encryption information
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
    Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_EncryptableVolume",,48)

    Dim arEncryptionMethod
    Dim arProtectionStatus
    Dim arConversionStatus
    Dim arLockStatus

    arEncryptionMethod = Array("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256")
    arProtectionStatus = Array("Protection Off", "Protection On", "Protection Unknown")
    arConversionStatus = Array("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused")
    arLockStatus = Array("Unlocked", "Locked")

    '=====================================================================
    'Create instance of Altiris NSE component
    dim nse
    set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

    ' Set the header data of the NSE
    ' This GUID for the NS is the same for all versions of 7.1 and 7.5
    nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
    nse.Priority = 1

    'myDataClass = "BitLocker_Status"
    'If the above name doesn't work use the line below and replace the guid with
    'the guid shown in the properties of the custom data class created on the server.
    myDataClass = "{9cbee7b0-dc88-4a2a-bbc3-899bacb32b94}"

    'Create Inventory data block.
    dim objDCInstance
    set objDCInstance = nse.AddDataClass (myDataClass)

    dim objDataClass
    set objDataClass = nse.AddDataBlock (objDCInstance)

    'Populate the NSE file with desired data
    For Each objItem in colItems
    'Add a new row for each drive on the computer
    Dim objDataRow
    set objDataRow = objDataClass.AddRow

    Dim EncryptionMethod
    Dim ProtectionStatus
    Dim ConversionStatus
    Dim EncryptionPercentage
    Dim VolumeKeyProtectorID
    Dim LockStatus

    objItem.GetEncryptionMethod EncryptionMethod
    objItem.GetProtectionStatus ProtectionStatus
    objItem.GetConversionStatus ConversionStatus, EncryptionPercentage
    objItem.GetKeyProtectors 0,VolumeKeyProtectorID
    objItem.GetLockStatus LockStatus

    objDataRow.SetField 0, objItem.DriveLetter
    objDataRow.SetField 1, arEncryptionMethod(EncryptionMethod)
    If arProtectionStatus(ProtectionStatus) = "Protection On" then
    objDataRow.SetField 2, "1"
    ElseIf arProtectionStatus(ProtectionStatus) = "Protection Off" then
    objDataRow.SetField 2, "0"
    End If
    objDataRow.SetField 3, arConversionStatus(ConversionStatus)
    objDataRow.SetField 4, arEncryptionPercentage(EncryptionPercentage)
    objDataRow.SetField 5, arLockStatus(LockStatus)

    Next

    'send the NSE file
    nse.Send
    Original Message


  • 6.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 16, 2022 04:51 PM
    Hi Clint - I ran your script locally on a computer after adding the msgbox command, and it ran without script errors. I then copied your script and changed just the myDataClass value to the GUID of a new custom data class I created and pasted it into a new script task. It tested good in my 8.6 RU3 lab on all 5 systems, no failures. If the script task is what fails, likely it is permissions or it is not set to VBScript as script type. I recommend you try your script locally on a computer. If it runs successfully and there is now data in the custom data class report then either it is permissions (runs as system by default, so test the script task with your username/password), or script type configuration in the script task is not set to VBScript.
    Original Message


  • 7.  RE: BitLocker Status

    Posted Dec 16, 2022 07:58 PM
    Hi Chris,

    Yes...in this case this appears to be a permissions issue when running via Quick Run since manually running it on a machine put its data in the report.  I'll try scheduling the job to see if this makes a difference but if it fails as well, I don't see anywhere to specify credentials under the job/task.  Think I could just fire off the vbscript via Software Management although would be nice to know if I can specify creds for a job run.

    Clint
    Original Message


  • 8.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 16, 2022 08:02 PM
    The Advanced button on the script task has the options for run-as:


    Original Message


  • 9.  RE: BitLocker Status

    Posted Dec 19, 2022 12:01 PM
    Hi Chris,

    Thanks for pointing this out.  I must have some mental block because I oftentimes miss this Advanced button to the right (hehe).

    Clint
    Original Message


  • 10.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 16, 2022 03:55 PM
    Hi Clint,

    That GUID hasn't changed, so that is good.
    Try commenting out the nse.send at the bottom and adding MsgBox nse.Xml below that (be sure to remove that once working before trying it in a script task).
    Create a file on the desktop of a computer (like bitlocker.vbs) with the script in it (including MsgBox nse.Xml) and then you will see what if any errors the "Script" has. If there are no errors, then a message box will display with the partial NSE that would be created and sent. The data collected will be between the <data> and </data> tags. If you do get the message box (and the script does not throw an error), try it again by commenting out (or deleting) MsgBox nse.Xml and uncommenting the nse.send line. Then check your report. If the report is still empty, verify the custom data class GUID of this line:
    myDataClass = "{GUID}", making sure that the quotes and curly brackets are in place. 

    If your report did show data, but the script task is what is failing, that may be due to either cut and paste errors or permissions - a simple test is if it worked logged on the client as above, try entering your credentials (or the ones used to log in to the test computer) into the run-script task in the Advance button. If it works, you know it can't run as the default System account the agent runs as. If it is not permissions, copy the test script from that computer, paste it into notepad, and then paste it into the script task.
    Original Message


  • 11.  RE: BitLocker Status

    Posted Dec 19, 2022 04:34 PM
    Really appreciate all the help thus far as I'm indeed making progress.  I'm now looking for guidance on creating a recovery key report from the original 7.x article, below.  The Custom Inventory screenshot in the community post has "Yes" for the Key and Required fields so not sure if this is right when Article 178361 I used for the BitLocker status explicitly had you set these to "No".  Also, what am I doing to create the (SQL?) report itself for the recovery keys as the community post doesn't go through this?

    https://community.broadcom.com/symantecenterprise/viewdocument/bitlocker-information-from-altiris?CommunityKey=63b01f30-d5eb-43c7-9232-72362b508207&tab=librarydocuments
    Original Message


  • 12.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 19, 2022 08:57 PM
    The Key and Required fields can help with SQL performance when you have a large set of inventory data, but the trick is if Key is set to YES, then only one row of data in the custom table (data class) can have a certain value. So if any of the collected inventory fields may be the same on two or more computers, set the Key to NO. For Required, I believe the behavior would be if one of the fields was blank, the rest would not be written, so setting it to NO would ensure you still have one or more rows of data for each computer.  For recovery key, this is likely unique for each computer, so it would be optional to set the Key value to YES. 

    For the report, navigate to Reports > All Reports and right-click the folder you want to store the report in (or create a folder first, also a right-click option) and select New > Report > SQL Report. Then select the new report on the left pane and then click the Edit button on the right pane. Remove the default query and you can create a simple or more complex query for your report. The simple report is just:
    select * from <name of custom data class>
    You can find the name of your custom data class by highlighting it in Manage Custom Data Classes (where you created it) and clicking the hand icon in the Custom Data Classes menu bar. In my example, the custom data class is Bitlocker Status, so with underscores replacing spaces and a prefix of Inv_, the name of the table to query from is Inv_BitLocker_Status. For the recovery keys, just select that custom data class. 

    Original Message


  • 13.  RE: BitLocker Status

    Posted Dec 20, 2022 04:10 PM
    Just wanted to confirm that for the vbscript to pull the BitLocker recovery keys, below, am I replacing the nse.AddDataClass GUID with the one from my custom inventory Data Class Details page?  I'm assuming the "0683de19-..." GUID was from the forum poster's server but could be wrong (not the first time...hehe).


    strComputer = "."
    Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root/CIMv2/Security/MicrosoftVolumeEncryption")

    Set objCIMObj = objWMIService.ExecQuery("select * from Win32_EncryptableVolume",,48)
    'Set objCIMObj = objWMIService.ExecQuery("Select * from Win32_EncryptableVolume " & "Where DriveLetter = C:'")

    dim nse
    set nse = WScript.CreateObject ("Altiris.AeXNSEvent")


    nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
    nse.Priority = 1

    dim objDCInstance
    set objDCInstance = nse.AddDataClass ("{0683de19-a007-4eba-9ad5-32748a52ef14}")

    dim objDataClass
    set objDataClass = nse.AddDataBlock (objDCInstance)

    For Each objItem in objCIMObj

    Set oShell = WScript.CreateObject("WSCript.shell")
    oShell.run"cmd /K manage-bde -protectors -get """ &objitem.driveletter& """ >C:\keys.txt & exit",0,True


    'Const ForReading = 1

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFSO.OpenTextFile("C:\keys.txt", 1)

    Do Until objFile.AtEndOfStream
    strNextLine = objFile.ReadLine
    If Len(strNextLine) > 0 Then
    strLine = strNextLine
    End If
    Loop

    objFile.Close

    'Wscript.Echo strLine


    dim objDataRow
    set objDataRow = objDataClass.AddRow

    objDataRow.SetField 0, objItem.DriveLetter
    objDataRow.SetField 1, strLine
    Next

    oShell.run"cmd /K del c:\keys.txt & exit",0,True

    nse.SendQueued
    Original Message


  • 14.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 20, 2022 04:22 PM
    That is correct, nse.AddDataClass is for the custom data class GUID.
    So replace the GUID in set objDCInstance = nse.AddDataClass ("{YOUR CUSTOM DATA CLASS GUID HERE}")
    Original Message


  • 15.  RE: BitLocker Status

    Posted Dec 21, 2022 04:20 PM
    It seems this VBScript to pull the BitLocker Recovery Key is instead giving me the TPM PCR Validation Profile according to a co-worker of mine.  I changed nse.AddDataClass to match my custom data class GUID so I must be missing some other mod in the script or perhaps something in my custom data class.
    Original Message


  • 16.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 21, 2022 05:01 PM
    Getting the script to function without error and getting data into the database is the easy part. The logic and collection of desired data in the script is another story. If your script runs without error and puts data into the database, that part is working. It may be the wrong data, but from Altiris standpoint, everything lines up. I can recommend searching to see if anyone out there has done it with VBScript or PowerShell, and you can test locally to make sure, then format the script to return data to the database. 

    That said, the line in the script getting the data is:
    oShell.run"cmd /K manage-bde -protectors -get """ &objitem.driveletter& """ >C:\keys.txt & exit",0,True

    The script then reads the file (C:\keys.txt) and then puts any data in the file into the NSE for sending back to the DB. 

    This article describes the command run from within the script (manage-bde -protectors -get) and looks to me to be getting recovery key method and ID data. 
    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors?source=recommendations
    Original Message


  • 17.  RE: BitLocker Status

    Posted Dec 22, 2022 03:41 PM
    After looking at the BitLocker recovery key script from the community post more carefully, I realized that the Loop within it only pulls the last line of the manage-bde output.  This won't fly if TPM is also enabled on the given machine; which explains why 1 computer we were testing the vbscript on wasn't giving the BitLocker password from the manage-bde command since the desired data is about 2/3 down the output that had both BitLocker and TPM passwords.

    A colleague sent me code to modify the loop so have yet to test it but in the meantime, could use some help figuring out how to get the "computer name" field into my custom SQL report as a simple query only gets me the fields in my screenshot, below.

    Original Message


  • 18.  RE: BitLocker Status

    Posted Dec 23, 2022 12:47 PM
    Anyone know why manually running this vbscript produces the following error?  Via Altiris, the job runs successfully so curious why Windows is complaining when you fire off the vbs manually.  Get the same error on Win11 and Win10.

    Original Message


  • 19.  RE: BitLocker Status

    Posted Dec 22, 2022 03:39 PM
    Hi Chris,

    So for the BitLocker Recovery Key report, what would the SQL code look like if I want the endpoint's "computer name" in it as well?  If I just do the simple Select in the custom SQL report, only the Drive Letter and Recovery Key column headers show up.

    Clint
    Original Message


  • 20.  RE: BitLocker Status

    Broadcom Employee
    Posted Dec 22, 2022 03:48 PM
    You can use a join to connect another table or view that has the computer name. In the example below, I use the vComputer view by joining it to the custom data class table using the GUID from vComputer to the _ResourceGuid that all custom inventory scripts will have put into the custom data class:

    select vc.name, bt.*
    from <Custom Data Class Table Name> bt
    join vcomputer vc on vc.guid = bt._ResourceGuid
    Original Message