Inventory BitLocker Encryption Status of Drives and Computers using custom inventory

8.x

Custom inventory can be used to detect the encryption status of each drive on a computer by querying WMI. The Custom Inventory script presented here was adapted from a forum discussion,  Bitlocker Information from Altiris 7.x. In addition, this article presents a custom report that displays the custom inventory data and shows which computers and drives are encrypted. Please note that Symantec Support does not support custom scripting or reporting so modifications to the script and report must be made by the user.

1. Create a new custom Data Class that will store the BitLocker encryption status for each drive.
   Figure 1. Configuration for the Custom Data Class and its Attributes.
    
   1. Go to Settings > All Settings then Settings > Discovery and Inventory > Inventory Solution > Manage Custom Data Classes.
   2. Click New data class.
   3. Name the Data Class "BitLocker Status" and click OK.
   4. Click Add attribute.
   5. Name the Attribute "Drive", set Key to "No", and click OK.
   6. Add five more attributes the same way, naming them in this order: EncryptionMethod, ProtectionStatus, ConversionStatus, EncryptionPercentage, LockStatus.
   7. Enable Allow multiple rows from a single computer resource, then click Save changes. The final dataclass should look like figure 1.
   8. Then click the icon to open the Data Class Details and copy the GUID a notepad. See figure 1.1 below.
      
   9. Figure 1.1 Retrieve GUID of the Customer Data Class
2. Create a Custom Inventory Script Task.
   
   Figure 2. Create a new Run Script task and then configure it to run the Custom Inventory. 
   1. Go to Manage > Jobs and Tasks.
   2. Browse the folder drop-down menu to where you would like to add a custom inventory script task.
   3. Right Click on the folder, then select New > Task.
   4. Select the Run Script task.
   5. Name the task appropriately.
   6. Select Script type: VBScript.
   7. Download and edit the Custom Bitlocker Inventory.vbs file attached to this document.
   8. Copy and paste the entire vbscript below into the large text box of the script task.

       

      On Error Resume Next

      'Call WMI for encryption information
      strComputer = "."
      Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
      Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_EncryptableVolume",,48)
       
      Dim arEncryptionMethod
      Dim arProtectionStatus
      Dim arConversionStatus
      Dim arLockStatus

      arEncryptionMethod = Array("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256")
      arProtectionStatus = Array("Protection Off", "Protection On", "Protection Unknown")
      arConversionStatus = Array("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused")
      arLockStatus = Array("Unlocked", "Locked")
       
      '=====================================================================
      'Create instance of Altiris NSE component
      dim nse
      set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
       
      ' Set the header data of the NSE
      ' This GUID for the NS is the same for all versions of Altiris 
      nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
      nse.Priority = 1
       
      'myDataClass = "BitLocker_Status"
      'If the above name doesn't work use the line below and replace the guid with
      'the guid shown in the properties of the custom data class created on the server.
      myDataClass = "{Copy the GUID in Step 1.h here, leave the curly brackets and quotes}"
       
      'Create Inventory data block.
      dim objDCInstance
      set objDCInstance = nse.AddDataClass (myDataClass)
       
      dim objDataClass
      set objDataClass = nse.AddDataBlock (objDCInstance)
       
      'Populate the NSE file with desired data
      For Each objItem in colItems
      'Add a new row for each drive on the computer
      Dim objDataRow
      set objDataRow = objDataClass.AddRow
        
      Dim EncryptionMethod
      Dim ProtectionStatus
      Dim ConversionStatus
      Dim EncryptionPercentage
      Dim VolumeKeyProtectorID
      Dim LockStatus
        
      objItem.GetEncryptionMethod EncryptionMethod
      objItem.GetProtectionStatus ProtectionStatus
      objItem.GetConversionStatus ConversionStatus, EncryptionPercentage
      objItem.GetKeyProtectors 0,VolumeKeyProtectorID
      objItem.GetLockStatus LockStatus

      objDataRow.SetField 0, objItem.DriveLetter
      objDataRow.SetField 1, arEncryptionMethod(EncryptionMethod)
      If arProtectionStatus(ProtectionStatus) = "Protection On" then
      objDataRow.SetField 2, "1"
      ElseIf arProtectionStatus(ProtectionStatus) = "Protection Off" then
      objDataRow.SetField 2, "0"
      End If
      objDataRow.SetField 3, arConversionStatus(ConversionStatus)
      objDataRow.SetField 4, arEncryptionPercentage(EncryptionPercentage)
      objDataRow.SetField 5, arLockStatus(LockStatus)
        
      Next
       
      'send the NSE file
      nse.Send

      
       
   9. Check that the script task configuration looks like figure 2 and then click OK.
       
3. Run the Custom Inventory Script task on computers that should be encrypted with BitLocker.
   1. Click on New Schedule, choose Now or specify a scheduled time and repeat interval.
   2. Specify target computers to run the task on.
   • To target a single computer click in the Quick add: box and search for the name of the computer, or use the Quick Run feature instead of New Schedule. 
   • To target a list of computers click on Add > Computers or Devices then manually select the desired computers and click > and OK. 
   • To target a computer filter (such as All Computers) click on Add > Target, click Add rule, choose exclude computers not in, and search the name of the filter in the final drop-down box. then click OK.
4. Create a Custom Report to view the data collected by the Custom Inventory
   1. Go to Reports > All Reports.
   2. Browse to a folder where you would like to add the custom report and Right Click on the folder.
   3. Select New > Report > SQL Report.
   4. Give the Report an appropriate name and then replace the text under Parameterized Query with the following query:
      
      select vComputer.Name, BLS.Drive, BLS.ProtectionStatus, Inv_SW_BIOS_Element.[Version] [BIOS Version] from Inv_BitLocker_Status BLS
      left join vComputer on vComputer.Guid = BLS._ResourceGuid
      left join Inv_SW_BIOS_Element on Inv_SW_BIOS_Element._ResourceGuid = BLS._ResourceGuid 
      
       
   5. Click Save Changes and then view the collected data for each computer and its drives. The results should look like figure 3.

Figure 3. Custom report results show a 1 for each encrypted drive and a 0 for not-encrypted drives. If the drive shows 'NULL' then Bitlocker has not been installed on that computer and thus the WMI query returned no data. Also, the BIOS version is listed for each computer, which is collected separately by software inventory.