Bitlocker Enabled 1.0.0

Gavsto,

 

At the risk of sounding completely ignorant here, how do we *use* this?  We have a need right now that it sounds like your add-on here will fit the bill perfectly, and I just installed it, and reloaded the system cache.  So far though, I do not see anywhere that this new information could be viewed.  Does it show up under the information on an individual agent, as detected roles?  Does it show up as an EDF value (or can we create an EDF that pulls this data?)

 

Thanks in advance,

Michael

It should show as a detected role. Updates to Roles should cause the LTShare\Transfer\configs.gz file to be updated. If the timestamp for that file is not current, then remote agents won’t know about the role. To tell them about the role, issue a “Config Update” command. (Probably not needed over 48 hours later) To have updated role information sent back, issue the “System Information” Inventory Update command. And since the role would only be seen for a matching agent, make sure you are checking a system that should have the role. 

Once the role is detected, you can reference it in a search and you can check for it in a script. 

Just wanted to add - this is working flawlessly for us.  Thank you!

How would you do this? "Once the role is detected, you can reference it in a search and you can check for it in a script. "

 

Two things --

First, mrmmbels, you can identify it by 'roles'.  For example, under advanced search, you would use computer.extra data field.computer role.bitlockerenabledis (true or false).

Second - Has anyone seen issues with this not properly detecting on the agent itself, since the v12 udpate?  We were running about 95% accuracy with this, but after the update, we're probably around 60%.  Techs are getting tired of checking on machines that have already been updated with Bitlocker, and asking me to fix it.

Thanks!

Just go to the Dashboard and navigate to Config>Configurations>Role Definintions

Now click on the Bitllocker Enabled one, and go to the "Detection" field.

Add " C:" after "-status" such that it is now "-status c:"

You'll now see the results from the C drives only, if that's what you're interested in. Or not. Maybe I'm wrong.

My boss had asked me to find laptops that do not have bitlocker enabled. I stumbled across this and seems like it would be useful but I'm not understanding how it is suppose to work. I checked under advanced search > computer > extra data field > computer role and I do not see the bit locker option. I can confirm via SQL that the file successfully imported. I feel like I'm missing a step. Any advice?

@fguiliano, any chance you're at Automation Nation right now?  If so, I can show you - should take like 5 minutes or so.  If not, I can try to answer later this afternoon - unless someone else can help out sooner!

@mr.wallstrom Unfortunately I am not at automation nation. 

Edited 12/6/19, added detail to the pictures.

@fguiliano, sorry for the delay in answering here.

OK, if memory serves...  This basically just adds a role check into your automated role checks.  

You need to-

1. Create an EDF checkbox, and set the default value to UNchecked.
2. Create a "status check" script, that will change the EDF value to checked or unchecked, depending on whether the ROLE is detected...
3. Schedule this script to run on a GROUP.

NOTE:  A search based on this EDF,  can only be as accurate as the last times 

1. Inventory cycle was run on the agent template (you could either make inventory more frequent on agent template, OR you could add another script to your group to run more often, that just does a 'resend everything' on the group.  I found that I had to use resend Everything, to capture this role detection.)
2. Your status check script last ran  (if you plan to make changes, and then check up on those changes frequently, be sure to schedule this to run often.)

Once you install this package, the "role" detection is baked in, but pretty invisible.  I used this process to 'bring it to the front' where you could actually make use of it.  You can search for an EDF value, but it didn't show up as a role for me, under searches.

Pictures attached - ask away if you have any questions.  Excuse my mad artistic skills... 

In your System Dashboard-

Go to Config, Additional Field Defaults, Computers, Computer Role;

Here, you should see the new EDF, for BitlockerEnabled, as a yes/no, 1/0 valued checkbox.  (You should also be able to view the status on any given machine, by opening the machine's view, and going to the Automation, EDF, Computer Roles window.

Create yourself a SCRIPT, that looks like this.  What you see here is-

If ROLE DETECTED, "Bitlocker Enabled", then-

Set EDF "BitlockerEnabled", to = 1 (yes/checked box)

In the ELSE field on the bottom of the script, do the opposite, setting the EDF checkbox to = 0, or 'unchecked'.

Now, build yourself an Advanced Search, that you can use with GROUPS as an autojoin search.

Search for the details shown below - ROLE is true, Client name (if that matters to you, did to me,) and whether or not it's a Server (depending on your needs here.)

The search example below, was for a specific client, that only wanted to know about workstations.

Once you have the Search built, you can:

Manually run the search, and export to Excel, or-

Create a GROUP, and use this as an autojoin script, then-

Run any other commands or scripts against the entire group

Edited December 6, 2019 by mr.wallstrom

I imported this, and I also have a script that I believe I got from Gavsto too, which collects the Bitlocker data and records the keys and such.... However, it's not finishing. It's been sitting in the scripts queue "Running" now for 15 hours. Not sure what to do with it. 

1 hour ago, Griznuq said:

 

I imported this, and I also have a script that I believe I got from Gavsto too, which collects the Bitlocker data and records the keys and such.... However, it's not finishing. It's been sitting in the scripts queue "Running" now for 15 hours. Not sure what to do with it. 

You know what, I restarted the server, everything is working like a Swiss clock. Thanks again!

Sounds like you have an issue with the other script, probably not this here.  I'd suggest ignoring that other script for a bit, and make sure you setup the steps in my earlier comment.  That at least gives you a way to test whether the bitlocker role detection is working, before you add another layer of complexity (that other script.)

does anyone have a novice guide to set this up? i've ran the sql to add the role but I can't get anything to show or get anything to work. I'm just trying to automate the way we validate bitlocker encryption checks. 

Thank you 

I could use a guide too.  How is this not a built in part of Automate by now.  It seems like a pretty basic metric to test / check for.  

I was able to get the role to be recognized and was able to create the checkbox EDF. What I'm wanting to do is if the PC does not have bitlocker enabled put them all in a "NOT Bitlocker Enabled" group so that they can be identified and dealt with if need be. 

That's excellent Brian.  It sounds like you are 90% of the way there.  Would you mind confirming for me which of the various methods of checking for BitLocker you went with?  I've seen many different approaches to it (with mixed results) that I'm honestly not quite sure where to start.  

 

I think you should just need to create an auto-join search Group now to collect your 'not enabled' nodes.  While we are on it... how are you handling Encryption for Win 7 Pro clients?  Most of ours are just holding off because we use Sophos Mananged BitLocker (love it), but it won't touch 7 Pro. We are still debating finding an alternate solution for those clients.

Hi

I have some machines that got the role but now say detected false.  running manage-bde on the machines shows that Bitlocker is installed and working correctly.  Any thoughts?

 

I also wonder if we have two disks and one is protected and one is not how will it behave?

thanks

On 11/29/2018 at 2:14 PM, Richie111 said:

I have some machines that got the role but now say detected false.  running manage-bde on the machines shows that Bitlocker is installed and working correctly.  Any thoughts?

One thing that comes to my mind is that the way the role works, it is looking for volumes where protection is active. If you have bypassed Bitlocker for 1 or more reboots (manage-bde -protectors -disable C:) then the role will NOT report that BitLocker is enabled even though it is present and the volume is fully encrypted.

I figured that would be an issue but in the test case i found there were two volumes and they both were enabled.  where would logging be of when the mange-bde ran from the role detection?

8 minutes ago, Richie111 said:

I figured that would be an issue but in the test case i found there were two volumes and they both were enabled.  where would logging be of when the mange-bde ran from the role detection?

Role Detection is performed during the System Info inventory. It's process is logged only in LTErrors.txt, but only if you increase the debugging level. If you increase it to maximum it can overwrite and rotate within seconds so it can be challenging to get what you want from it. You might try grabbing the command from the role definition and running it yourself to see what it is outputting, and see if you can discover why it is not being detected in your case.

I opened a ticket and while working with them we discovered that sometimes when the manage-bde command runs in the command window as system it gets an out of storage error, obviously not always as most are detected correctly.  running it as admin, or having the labtech service run as admin resolves the issue.  they opened a bug report based on the fact it happens in the command window.

Thanks I finally got this working properly.

For future reference: In the searches its located under Labtech -> Roles - > Bitlocker Enabled.

On 6/28/2018 at 1:38 PM, mr.wallstrom said:

@fguiliano, sorry for the delay in answering here.

OK, if memory serves...  This basically just adds a role check into your automated role checks.  

You need to-

1. Create an EDF checkbox, and set the default value to UNchecked.
2. Create a "status check" script, that will change the EDF value to checked or unchecked, depending on whether the ROLE is detected...
3. Schedule this script to run on a GROUP.

NOTE:  A search based on this EDF,  can only be as accurate as the last times 

1. Inventory cycle was run on the agent template (you could either make inventory more frequent on agent template, OR you could add another script to your group to run more often, that just does a 'resend everything' on the group.  I found that I had to use resend Everything, to capture this role detection.)
2. Your status check script last ran  (if you plan to make changes, and then check up on those changes frequently, be sure to schedule this to run often.)

Once you install this package, the "role" detection is baked in, but pretty invisible.  I used this process to 'bring it to the front' where you could actually make use of it.  You can search for an EDF value, but it didn't show up as a role for me, under searches.

Pictures attached - ask away if you have any questions.  Excuse my mad artistic skills... 

I know this is an older post but I could really use some assistance understanding all of this information.  I'm not a scripting person in the least so this is tough on me currently.  Our Automate guy left and I have been tasked to figure out these items.  I am trying to get a script together to run a check to see which systems have Bitlocker enabled and which have not.  You have gotten me far with this post and others and any more assistance would be fantastic.  Thanks in advance.

On 3/26/2019 at 3:50 PM, Scott Maddock said:

 

I was able to get this all setup, but the role isnt being detected on any agent after resending inventory - CW support wont help. Any advice is appreciated - thank you.