ordon.IT

Have you tried turning it off and on again?

Uncategorized 

Bitlocker deployment and reporting.

mirek 0 Comments

… the Altiris way, however, the concept would be pretty much the same for any other CMS systems. I’m currently working on such project so I decided to write down the entire process here onto my notepad (who knows, maybe there’s someone out there in the intertubes that is now sitting and scratching his head thinking where to start with Altiris Bitlocker depoloyment?)

First things first, what do we need ?

1. We need to make sure our machines have TPM chip as what we’re going to do is to enable and activate it using simple script, then take ownership of it by securing it with the password. This will allow us to start encryption.
I am aware there are ways to enable Bitlocker without TPM, but its not the case here. If you want to find out more about it, google it.

2. You need to have a GPO configured to use Bitlocker and applied to computers prior to do any of the bellow tasks.

3. Once the GPO is configured and applied, the following command sequence must be run on the destination computers:

–  manage-bde.exe -tpm -turnon – this command enables and activates TPM chip

Reboot – you need to restart PC and confirm configuration change by pressing F1 at boot.

– manage-bde -tpm -o yourtpmpasswordhere – this command takes TPM ownership

– manage-bde -on c: -rp -em aes256 – assuming we’re encrypting C: with aes256

4. Now, as a side note, whats the easiest way to check if the first command worked and the TPM is enabled and activated (assuming you want to check this remotely) . Use WMI. You can do so directly from WMI console or by command prompt by addming wmic.exe before the command.

– To check if TPM is enabled: /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue

– To check if TPM is activated: /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsActivated_InitialValue

5. Creating Software Packages with simple .bat scripts that will execute above commands. Software Packages must be set within the Managed Software Delivery Policy in the exact order listed above (3.)

TPM enable and activate – also creates “Bitlocker” folder on systemdrive and the .txt files, that you can use for detection rules. If you prefer more fancy way, you can play with vbs detection rules, but honestly, there’s no need to do so.

md "C:\Windows\System32\Bitlocker"
echo.>"C:\Windows\System32\Bitlocker\TPMenabled.txt"
Manage-bde.exe -tpm -turnon

REBOOT! – You must reboot PC at this point and get user to press F1!

echo.>"C:\Windows\System32\Bitlocker\TPMownershipset.txt"
manage-bde -tpm -o yourpasswordhere
echo.>"C:\Windows\System32\Bitlocker\encryptionstarted.txt"
manage-bde -on c: -rp -em aes256

Bellow notification popup will appear on user’s screen :

 

6. Reporting:

6.1 – Creating Custom Data Classes in Altiris.

Altiris Console: Settings\All settings\Discovery and Inventory\Inventory Solution\Manage Custom Data Classes

Add new Data Classes:
Expanded Bitlocker Status – this will collect encryption status info such as conversion status, percentage encrypted, encryption method etc.
Bitlocker Recovery info – encrypted drive letter and your recovery ID
TPM Status – TPM status.

Add bellow attributes for each:

 

 


6.2 Create Custom Tasks:

Altiris Console: \Manage\Jobs / Tasks\Samples\Discovery and Inventory\Inventory Samples\Custom

Clone Custom Inventory – Processor and create the following:

Custom Inventory – Bitlocker Status

Script type: VBScript – copy and paste bellow script then Save changes

NOTE: Altiris 7.6 likes data class name more than GUID as the previours Altiris versions so its recommended to use data class name in the script!

'Following is a sample custom inventory script gathering information about processor of a machine and posting data
'to NS using Altiris NSE Component
'===================================================================================================================
'      On Error Resume Next

'Create instance of Wbem service object and connect to namespace
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root/CIMv2/Security/MicrosoftVolumeEncryption")

'Fire WMI Query
Set objCIMObj = objWMIService.ExecQuery("select * from Win32_EncryptableVolume",,48)
'Set objCIMObj = objWMIService.ExecQuery("Select * from Win32_EncryptableVolume " & "Where DriveLetter = 'C:'")

'===================================================================================================================

'Create instance of Altiris NSE component
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

' Set the header data of the NSE
' Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

'Create Inventory data block. Here assumption is that the data class with below guid is already configured on server
dim objDCInstance
set objDCInstance = nse.AddDataClass ("Expanded Bitlocker Status")

dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)

Dim arEncryptionMethod

arEncryptionMethod = Array("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256")

Dim arProtectionStatus

arProtectionStatus = Array("Protection Off", "Protection On", "Protection Unknown")

Dim arConversionStatus

arConversionStatus = Array("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused")

Dim arLockStatus

arLockStatus = Array("Unlocked", "Locked")

'For each objInfo in objCIMObj
For Each objItem in objCIMObj

 Dim EncryptionMethod

 Dim ProtectionStatus

 Dim ConversionStatus

 Dim EncryptionPercentage 'Percentage of the volume that is encrypted

 Dim VolumeKeyProtectorID

 Dim LockStatus

 objItem.GetEncryptionMethod EncryptionMethod
 objItem.GetProtectionStatus ProtectionStatus
 objItem.GetConversionStatus ConversionStatus, EncryptionPercentage
 objItem.GetKeyProtectors 0,VolumeKeyProtectorID
 objItem.GetLockStatus LockStatus

 'Add a new row
dim objDataRow
set objDataRow = objDataClass.AddRow
'Set columns
objDataRow.SetField 0, objItem.DeviceID
objDataRow.SetField 1, objItem.DriveLetter
objDataRow.SetField 2, arEncryptionMethod(EncryptionMethod)
objDataRow.SetField 3, arProtectionStatus(ProtectionStatus)
objDataRow.SetField 4, arConversionStatus(ConversionStatus)
objDataRow.SetField 5, EncryptionPercentage & "%"
objDataRow.SetField 6, arLockStatus(LockStatus)
Next

nse.SendQueued

– Custom Inventory – Bitlocker Recovery Info

Script type: VBScript – copy and paste bellow

strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root/CIMv2/Security/MicrosoftVolumeEncryption")

Set objCIMObj = objWMIService.ExecQuery("select * from Win32_EncryptableVolume",,48)
'Set objCIMObj = objWMIService.ExecQuery("Select * from Win32_EncryptableVolume " & "Where DriveLetter = C:'")

dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

dim objDCInstance
set objDCInstance = nse.AddDataClass ("Bitlocker Recovery Info")

dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)

For Each objItem in objCIMObj

Set oShell = WScript.CreateObject("WSCript.shell")
oShell.run"cmd /K manage-bde -protectors -get """ &objitem.driveletter& """ >C:\keys.txt & exit",0,True

'Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\keys.txt", 1)

Do Until objFile.AtEndOfStream
    strNextLine = objFile.ReadLine
    If Len(strNextLine) > 0 Then
        strLine = strNextLine
    End If
Loop

objFile.Close

'Wscript.Echo strLine

dim objDataRow
set objDataRow = objDataClass.AddRow

objDataRow.SetField 0, objItem.DriveLetter
objDataRow.SetField 1, strLine
Next

oShell.run"cmd /K del c:\keys.txt & exit",0,True

nse.SendQueued

– Custom Inventory – TPM Status

Script type: VBScript – copy and paste bellow script then Save changes

'------------------------------------------------------------------------------------

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftTpm")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Tpm", "WQL", _
                                        wbemFlagReturnImmediately + wbemFlagForwardOnly)

'============================================
'Create instance of Altiris NSE component
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

dim objDCInstance
'my custom data class
set objDCInstance = nse.AddDataClass ("TPM Status")

dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)

For each objInfo in colItems 'script crash here because invalid data

dim objDataRow
set objDataRow = objDataClass.AddRow

objDataRow.SetField 0, objInfo.IsActivated_InitialValue
objDataRow.SetField 1, objInfo.IsEnabled_InitialValue
objDataRow.SetField 2, objInfo.IsOwned_InitialValue
objDataRow.SetField 3, objInfo.ManufacturerId
objDataRow.SetField 4, objInfo.ManufacturerVersion
objDataRow.SetField 5, objInfo.ManufacturerVersionInfo
objDataRow.SetField 6, objInfo.PhysicalPresenceVersionInfo
objDataRow.SetField 7, objInfo.SpecVersion

Next
nse.SendQueued

'---------------------------------------------------------------------------

Now, you can “Quick run” the task on any machine you want, or you can specify a filter then apply the task to it – this will create new custom inventory  for each computer with all the data you’re collecting:

Altiris console: \Computers\All Computers\ – search for computer you’d like to check, right click and select Resource Manager. Go to “View”, “Inventory” then expand “Data Classes”\”Inventory”\”Custom” and tour class is there with all the info.
6.3 Create Bitlocker report

Altiris Console: \Reports\All Reports\ – New Report\Computer report

Yo need to show Altiris where to look at. Go to “Fields” and add the following:

Save Changes and run report.

7. Creating Dynamic Deployment filter that will include all laptops

Lets say we want to deploy it to all laptops as well as any new build laptop will also receive the policy. We need dynamic filter for this that will identify machines by chassis type (here are all values listed – you can compose an SQL query based on that). The one bellow searches for machines thata 9 – Are laptop, 10 – are notebook, 12 – has docking station

Create new filter and select Filter definition: Query Mode: Raw SQL

SELECT DISTINCT

ch._ResourceGuid

FROM

Inv_HW_Chassis ch

WHERE

ch.[Chassis Package Type] = '8'
OR ch.[Chassis Package Type] = '9'
OR ch.[Chassis Package Type] = '10'
OR ch.[Chassis Package Type] = '12'

 

Leave a Reply

Your email address will not be published. Required fields are marked *