Our department recently purchased LANDesk, and I needed to get BitLocker information into the LANDesk inventory. This is the first of three posts focused on this project. This post will go over the basics of getting BitLocker information with a powershell script. The next couple posts will go into details on how to integrate this script with LANDesk.
WMI Queries
There are two basic WMI classes being used in the script below. Win32_Volume, and Win32_EncryptableVolume. I use Win32_Volume to get a list of all volumes on the device, then Win32_EncryptableVolume to see if all volumes except those labeled, “System Reserved” or “BDEDrive” are encrypted.
The Output
By default, the script writes a LANDesk-compatible .dat file in the location specified in the variable at the top of the script. The output should look something like this if you set debug to true:
PS U:\hg\winscripts\dev> .\BitLocker-Info.ps1
Volume 0 label: System Reserved
Volume 0 name: \\?\Volume{87148646-0973-11df-9733-806e6f6e6963}\
Volume 0 driveLetter:
Volume 0 fileSystem: NTFS
Volume 0 capacity: 104853504
Volume 0 deviceID: \\?\Volume{87148646-0973-11df-9733-806e6f6e6963}\
Volume 0 serialNumber: 750140681
Volume 0 bootVolume: False
Volume 0 systemVolume: True
Volume 0 BitlockerEnabled: False
Volume 1 label:
Volume 1 name: C:\
Volume 1 driveLetter: C:
Volume 1 fileSystem: NTFS
Volume 1 capacity: 69686259712
Volume 1 deviceID: \\?\Volume{87148647-0973-11df-9733-806e6f6e6963}\
Volume 1 serialNumber: 547212969
Volume 1 bootVolume: True
Volume 1 systemVolume: False
Volume 1 BitlockerEnabled: False
Bitlocker Rollup: Not Protected
References
I used parts of the script at this site as the framework, and it deserves due credit.
The Script
#Bitlocker-Info.ps1 #John Puskar, Department of Chemistry, The Ohio State University, 07/23/11 #johnpuskar (gmail) #build 025 #reference: http://www.buit.org/2010/08/18/howto-bitlocker-status-reporting-in-sccm-2007/ #GLOBAL VARS $script:gWriteOut = $null $script:gWriteOut = $false #true = write debug output to screen #choose log file path $logFileName = "bitlocker.dat" $progx86 = ${ENV:\PROGRAMFILES(X86)} If($progx86 -eq $null -or $progx86 -eq "") {$ldClientPath = ${ENV:\PROGRAMFILES} + "\LANDesk\LDClient\"} Else {$ldClientPath = ${ENV:\PROGRAMFILES(X86)} + "\LANDesk\LDClient\"} $script:gLogFile = $ldClientPath + $logFileName #Skip if not Vista or higher $blnSkip = $null $blnSkip = $true $objOS = Get-WmiObject Win32_OperatingSystem If($objOS.BuildNumber -ge 6000) {$blnSkip = $false} Function Get-BLAttribute($objBDEDrive,$BLAttrib) { $strAttribVal = $null Switch($BLAttrib) { Default {} "ProtectionStatus" { $protectionStatus = $null $protectionStatus = ($objBDEDrive.GetProtectionStatus()).ProtectionStatus $strProtectionStatus = $null Switch ($ProtectionStatus) { 0 { $strProtectionStatus = "PROTECTION OFF" } 1 { $strProtectionStatus = "PROTECTION ON" } 2 { $strProtectionStatus = "PROTECTION UNKNOWN"} } $strAttribVal = $strProtectionStatus } "EncryptionMethod" { $encryptionMethod = $null $encryptionMethod = ($objBDEDrive.GetEncryptionMethod()).EncryptionMethod $strEncryptionMethod = $null Switch ($encryptionMethod) { -1 { $strEncryptionMethod = "The volume has been fully or partially encrypted with an unknown algorithm and key size." } 0 { $strEncryptionMethod = "The volume is not encrypted." } 1 { $strEncryptionMethod = "AES 128 WITH DIFFUSER" } 2 { $strEncryptionMethod = "AES 256 WITH DIFFUSER" } 3 { $strEncryptionMethod = "AES 128" } 4 { $strEncryptionMethod = "AES 256" } } $strAttribVal = $strEncryptionMethod } "VolumeKeyProtectorID" { $VolumeKeyProtectorID = $null $VolumeKeyProtectorID = ($objBDEDrive.GetKeyProtectors($i)).VolumeKeyProtectorID If ($VolumeKeyProtectorID -ne $Null) { $KeyProtectorIDTypes = $null Switch ($i) { 1 {$KeyProtectorIDTypes = "Trusted Platform Module (TPM)"} 2 {$KeyProtectorIDTypes += ",External key"} 3 {$KeyProtectorIDTypes += ",Numeric password"} 4 {$KeyProtectorIDTypes += ",TPM And PIN"} 5 {$KeyProtectorIDTypes += ",TPM And Startup Key"} 6 {$KeyProtectorIDTypes += ",TPM And PIN And Startup Key"} 7 {$KeyProtectorIDTypes += ",Public Key"} 8 {$KeyProtectorIDTypes += ",Passphrase"} Default {$KeyProtectorIDTypes = "None"} } } $strAttribVal = $KeyProtectorIDTypes } "Version" { $version = $null $version = ($objBDEDrive.GetVersion()).Version $strVersion = $null Switch ($Version) { 0 { $strVersion = "UNKNOWN" } 1 { $strVersion = "VISTA" } 2 { $strVersion = "Windows 7" } } $strAttribVal = $strVersion } } Return $strAttribVal } Function Get-BLInfo { $arrAttributes = @() $arrAttributes += "label" $arrAttributes += "name" $arrAttributes += "driveLetter" $arrAttributes += "fileSystem" $arrAttributes += "capacity" $arrAttributes += "deviceID" $arrAttributes += "serialNumber" $arrAttributes += "bootVolume" $arrAttributes += "systemVolume" $arrBLAttributes = @() $arrBLAttributes += "ProtectionStatus" $arrBLAttributes += "EncryptionMethod" $arrBLAttributes += "VolumeKeyProtectorID" $arrBLAttributes += "Version" $i = 0 $msgs = @() $blnBitlockerOn = $null $blnBitlockerOn = $false $arrEncryptedVols = $null $arrEncryptedVols = Get-WmiObject win32_EncryptableVolume -Namespace root\CIMv2\Security\MicrosoftVolumeEncryption -ErrorAction SilentlyContinue If($arrEncryptedVols -eq $null -or $arrEncryptedVols -eq "") {$blnBitlockerOn = $false} Else { $blnBitlockerOn = $false $arrEncryptedVols | % { If($_.ProtectionStatus -eq 1) {$blnBitlockerOn = $true} } } #write-host -f red "DEBUG: bitlocker on: $blnbitlockerOn" $intBitlockerRollup = $null $intBitlockerRollup = 1 $arrLocalVolumes = @() $arrLocalVolumes = Get-WmiObject Win32_Volume | where-object {$_.DriveType -eq 3} $arrLocalVolumes | % { $objVolume = $_ #gather regular info $arrAttributes | % { $strAttribute = $null $strAttribute = $_ $strAttribValue = $null $strAttribValue = $objVolume.$strAttribute #write messages $userMsg = $null $userMsg = "Volume " + $i + " " + $strAttribute + ": " + $strAttribValue If($script:gWriteOut -eq $true){Write-Host -f green $userMsg} $LANDeskMsg = $null $LANDeskMsg = "Bitlocker Info - Volume" + $i + " - " + $strAttribute + " = " + $strAttribValue $msgs += $LANDeskMsg } #bitlocker enabled? $blnVolumeBitlocked = $null $blnVolumeBitlocked = $false If($blnBitlockerOn -eq $true) { $objBLVol = $null $objBLVol = $arrEncryptedVols | Where-Object {$_.Driveletter -eq $objVolume.driveLetter} If($objBLVol -eq $null) { $blnVolumeBitlocked = $false #write messages $userMsg = $null $userMsg = "Volume " + $i + " BitlockerEnabled: False" If($script:gWriteOut -eq $true){Write-Host -f green $userMsg} $LANDeskMsg = $null $LANDeskMsg = "Bitlocker Info - Volume" + $i + " - BitlockerEnabled = False" $msgs += $LANDeskMsg } Else { $blnVolumeBitlocked = $true $arrBLAttributes | % { $strBLAttribute = $_ $strBLAttributeVal = Get-BLAttribute $objBLVol $strBLattribute #write messages $userMsg = $null $userMsg = "Volume " + $i + " " + $strAttribute + ": " + $strAttribValue If($script:gWriteOut -eq $true){Write-Host -f green $userMsg} $LANDeskMsg = $null $LANDeskMsg = "Bitlocker Info - Volume" + $i + " - BL_" + $strBLAttribute + " = " + $strBLAttributeVal $msgs += $LANDeskMsg } } If($blnVolumeBitlocked -ne $true -and ` $objVolume.Label -ne "BDEDrive" -and ` $objVolume.Label -ne "System Reserved" -and ` $intBitlockerRollup -ne 0) {$intBitlockerRollup = 0} } Else { #write messages $userMsg = $null $userMsg = "Volume " + $i + " BitlockerEnabled: False" If($script:gWriteOut -eq $true){Write-Host -f green $userMsg} $LANDeskMsg = $null $LANDeskMsg = "Bitlocker Info - Volume" + $i + " - BitlockerEnabled = False" $msgs += $LANDeskMsg $intBitlockerRollup = 0 } $i++ } $strBLRollup = $null $strBLRollup = "" If($blnBitlockerOn -eq $true) { If($intBitlockerRollup -eq 0) {$strBLRollup = "Insufficiently Protected"} Else {$strBLRollup = "Fully Protected"} } Else {$strBLRollup = "Not Protected"} #write messages $userMsg = $null $userMsg = "Bitlocker Rollup: " + $strBLRollup If($script:gWriteOut -eq $true){Write-Host -f green $userMsg} $LANDeskMsg = $null $LANDeskMsg = "Bitlocker Info - Bitlocker Rollup = " + $strBLRollup $msgs += $LANDeskMsg Return $msgs } #Get bitlocker info (main loop) $msgs = $null If($blnSkip -eq $false) { $msgs = $null $msgs = Get-BLInfo } Else { If($script:gWriteOut -eq $true){Write-Host -f yellow "Bitlocker is not available on this Operating System."} $msgs += "Bitlocker Info - Bitlocker Rollup = NA" } #compile messages If(($msgs -is [array]) -eq $false) {[array]$msgs = @($msgs)} #write output If((Test-Path $script:gLogFile) -eq $true) {remove-item $script:gLogFile -force | out-null} New-Item -ItemType file $script:gLogFile | out-null $msgs | %{ $msg = $null $msg = $_ If($gWriteOut -eq $true){Write-host -f yellow $msg} Add-Content $script:gLogFile $msg }
Pingback: Extending LANDesk Inventory for Bitlocker (Part 1) « windowsmasher
I’m trying to use a WMI Query within BGinfo.exe to get the bitlocker protection status of the systems boot drive with the result displayed on the users background wallpaper. My WMI Query currently looks like this:
select “ProtectionStatus from Win32_EncryptableVolume” of wmi “root\CIMv2\Security\MicrosoftVolumeEncryption” whose (string value of property “DriveLetter” of it = “C:”)
However it comes back with “(Query failed)”. Any ideas?
(Unfortunately standard users don’t have priviledges to run VBScripts otherwise a GetProtectionStatus vbs would work well.)
I have no idea, sorry. :(. I don’t lock down .vbs for our users. Most of my login scripts are vbs, so this would actually break a lot in my environment. Best of luck though, and feel free to post the answer if you get it!
Hey will this post the recovery key for bitlocker?!
Thank you!
“root\CIMv2\Security\MicrosoftVolumeEncryption” requires admin elevation to access so this wont work for average users either 😦
It’s amazing for me to have a web page, which is useful in favor of my knowledge.
thanks admin
Тhe dеputy directоr of the FDA division that ovеrsees metabolic drugs
ѕtated, “I was a little surprised the vote went as it did”, thhe deputy director
felt tthat although many panelists ωeren’t strongly agаinst Qnеxa, but possibly just had
some lingering concerns that wοulԁ mаke them vote no.
The ‘energy boost’ here is due to its additional еffect of accelerating one’s metabolidm and
heart-ratе. Recently a number of people including physicians have come
forward tο inflrm this аuthor that a politically active memer of the medical professіon hаs establisheԁ more than a
haf ԁozen offices to provide diet pills tο the community.
I truly enjoy reading on this internet site , it has superb content . “Words are, of course, the most powerful drug used by mankind.” by Rudyard Kipling.
Spot on with this blog. Your perspective is super refreshing.
You are totally an expert. You remind me of my mom back in Hawaii.
Right now it sounds like WordPress is the best blogging platform available right now. (from what I’ve read) Is that what you are using on your blog?