/build/static/layout/Breadcrumb_cap_w.png

Bitlocker inventory on Kace SMA

Any ideas why the Drive Encryption in device inventory would indicate that Bitlocker is not enabled/protected on some machines when it really is? I'm running SMA version 11.0.273 and have all Windows 10 clients. Here's an example of a problem child:

Drive Encryption
Drive Encryption Summary: Encryption Technology: None
Encryption Enabled: No
Drive Protected: No
BitLocker on C:System Volume: Yes
Device ID: \\?\Volume{d79a5606-0a8e-47c6-31b9-a894f56f9f01}\
Persistent Volume ID: {07D5AC2F-B46B-4F57-88C1-836659695VC7}
Protection Status: Protection Off
Metadata Version: 2
Identification Field: UNC
Encryption Method: AES-XTS 128
Hardware Encryption Status: Not Supported
Lock Status: Unlocked
Conversion Status: Fully Encrypted
Encryption Percentage: 100%


I've logged into this computer and verified that Bitlocker is on.

A4ovLEkanCp8AAAAAElFTkSuQmCC

The encryption inventory is correct for most computers and I used the same method to encrypt all desktops - powershell script with the manage-bde command. I don't see any pattern based on TPM version, Windows 10 version or computer model. Any tips are welcome. Thanks.


0 Comments   [ + ] Show comments

Answers (1)

Answer Summary:
Posted by: Nico_K 3 years ago
Red Belt
1

the collection of the info is done by a powershell script.
And Windows 10 has now a default setting of blocking some powershell scriptlets.
you can test this by running by going to c:\programdata\quest\kace\kbots_cache\packages\kbots\4 and run
powershell -NonInteractive -file bitlocker_inventory.ps1
This would bring you an error code and a link to the MS KB how to change this.
This will be changed in a future version but right now this would be the workaround.


Comments:
  • OK, thanks, Nico. - tpr 3 years ago
  • More info - I ran the bitlocker inventory script on one of the problem computers and got no error, and the output looked like what I would expect from a computer with BL enabled (eg, <PROTECTION_STATUS>1</PROTECTION_STATUS>). I then did an inventory force run from the SMA and all the information showed up properly after that. Maybe running the script directly on the machine helped? I could try adding a script to the SMA and see if that helps with the others.

    Also, I did not change the execution policy or anything else on the machine, and it was set to RemoteSigned. - tpr 3 years ago
    • the scripts are running as SYSTEM, which is not a USER, so there may be different policies in place.
      I seen it with different users but were not able to replicate with my own env. - Nico_K 3 years ago
      • OK, thanks. This has been a pretty unusual experience. Most of my scripts run pretty consistently across all my clients, but it's been difficult to find a pattern with these BL related scripts. I'd tweak and get it working for one from the SMA, but then it would fail for others. Running directly on machines always works. All clients getting same image and GPOs. Anyway, I'll just put this one in the L column and move on. - tpr 3 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ