bitlocker report
I was wondering if anyone has found a good way to report bitlocker encryption status using the kbox? I have been searching online and found examples for other management software but nothing for the kbox.
thanks
thanks
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
joe.pyrczak
8 years ago
version 6.4 makes this much easier and reports it in the inventory. Working on reporting based on that now myself.
Posted by:
scottlutz
13 years ago
[font="Times New Roman"]
I haven't tried, but from what you've found, what methods return values?
I haven't tried, but from what you've found, what methods return values?
Posted by:
airwolf
13 years ago
You could write a PowerShell, AutoIT, or VBS script to detect status and write a registry value. You could then inventory that value.
From a quick Google search, all I could find dealt with WMI - based on that you'd have to use some sort of script to make something (e.g. reg value) for the K1000 to inventory.
From a quick Google search, all I could find dealt with WMI - based on that you'd have to use some sort of script to make something (e.g. reg value) for the K1000 to inventory.
Posted by:
mich3ael
13 years ago
We place a VBscript on each machine, via File Sync, which writes the status of drives C,D,E to the registry via the ProtectionStatus value in Win32_EncryptableVolume. We also capture the recovery keys by writing the output of the command:
cmd /c manage-bde -protectors -get c: -type recoverypassword
to a string variable, and parse the string for the lines containing "Password:" and "ID:", then write those values to the registry for KBOX to pick up in a custom inventory rule (RegistryValueReturn).
The script is also launched during every inventory update via another custom inventory rule (ShellCommandTextReturn, which doesn't output anything, but does execute the script).
So worst case, after a couple of inventory updates on a new machine we have the status and recovery key stored in the machine's inventory record in KBOX.
We decided to update this with every machine inventory, since all of our users are local admins and there have been times where people have turned BitLocker off and back on (decrypt and re-encrypt), changing the recovery key, finding us in a position where we didn't have the recovery key when BitLocker decided to trip. Ideally this can all be done with group policy and Active Directory, but we had problems doing it that way, so KBOX to the rescue.
The script is very light, and the manage-bde command is a very quick execute, so this hourly run doesn't ever get noticed.
cmd /c manage-bde -protectors -get c: -type recoverypassword
to a string variable, and parse the string for the lines containing "Password:" and "ID:", then write those values to the registry for KBOX to pick up in a custom inventory rule (RegistryValueReturn).
The script is also launched during every inventory update via another custom inventory rule (ShellCommandTextReturn, which doesn't output anything, but does execute the script).
So worst case, after a couple of inventory updates on a new machine we have the status and recovery key stored in the machine's inventory record in KBOX.
We decided to update this with every machine inventory, since all of our users are local admins and there have been times where people have turned BitLocker off and back on (decrypt and re-encrypt), changing the recovery key, finding us in a position where we didn't have the recovery key when BitLocker decided to trip. Ideally this can all be done with group policy and Active Directory, but we had problems doing it that way, so KBOX to the rescue.
The script is very light, and the manage-bde command is a very quick execute, so this hourly run doesn't ever get noticed.
Comments:
-
Hi, I have used File Sync to copy my VBscript to a folder on the C: drive but cannot get the script to run. Can you please advise how you force the script to run and will it still run if UAC is enabled? Thanks - repsorp2010 12 years ago
-
Found the answer: http://www.kace.com/de/support/resources/kb/article/Using-the-K1000-appliance-scripting-module - repsorp2010 12 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.