cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Computers with Bitlocker turned on

Hi,

I am hoping someone can help me with Flexera reporting. I would like to know which Computers have Bitlocker turned on and which ones don't. I have reports from other systems but i would like to know if Flexera can help. Thank you

 

(7) Replies
ChrisG
By Community Manager Community Manager
Community Manager

There is nothing built in to FlexNet Manager Suite which will give insight into the state of BitLocker. I have done one deployment where BitLocker state information was gathered--this involved quite a bit of reasonably complex configuration. The approach taken included:

  • Configure custom properties on inventory device records to store information about the state of BitLocker on each device
  • For computers where inventory is gathered by SCCM: Configure SCCM to gather BitLocker details and store them in the SCCM database, and modify the out-of-the-box SCCM inventory adapter to import these details into the custom properties
  • For computers where inventory is gathered by the FlexNet inventory agent: Write an ndtrack VBscript plugin to gather BitLocker details to be stored in the FlexNet inventory database, and modify the out-of-the-box FlexNet inventory adapter to import these details into the custom properties
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thank you for your response

Any DOC that has example of writing an ndtrack VBscript plugin to gather software details to be stored in the FlexNet inventory database, and modify the out-of-the-box FlexNet inventory adapter to import these details into the custom properties

Hi,

There's also a WMI class for this:

gwmi Win32_EncryptableVolume -Namespace ROOT\CIMV2\Security\MicrosoftVolumeEncryption

Unfortunately, the FNMS agent still does now allow to collect WMI data outside the default namespace.

There's a native PS cmdlet for this data:

Get-BitLockerVolume

You could user PowerShell to create a custom WMI class in the default namespace and then use the wmitrack.ini to have the agent collect it for you.

Best regards,

Markward

@Woo_Lam - this level and style of customization would typically be done in conjunction with a service provider who has experience doing this kind of work. It is complex enough that there is not a simple "go and read document XYZ and it will tell you how to do this". But here are some pointers on useful resources in this general space:

I don't know of any published documentation about ndtrack VBScript plugins - this capability is not widely used. Here is a quick cheat sheet for using this capability. (This summary assumes you already have a pretty deep understanding of how inventory gathering by the FlexNet inventory agent works.)

On each computer running the FlexNet inventory agent:

  1. Arrange set the registry entry HKLM\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\Tracker\CurrentVersion\RunInventoryScripts = True.
  2. Place your VBScript file in the directory %ProgramFiles(x86)%\ManageSoft\Tracker\Scripts\InventoryScanningOptionsInventoryScripts\

The VBScript file will be loaded and executed during the inventory gathering process. To include some data in the generated inventory NDI file, use script code like the following (with appropriate values for whatever you're seeking to achieve):

 

 

LogMessage("Running custom script")

' Create a <Hardware> element in the NDI file
Set invNode = CreateHardware("MyInfo")

' Set attributes on the <Hardware> element
invNode.SetAttribute "Class", "MyInfo"
invNode.SetAttribute "Evidence", "CustomScript"

' Create <Property> elements under the <Hardware> element in the NDI file
invNode.AddProperty "AProperty", "The value"
invNode.AddProperty "BProperty", "Another value"

 

 

This simple example illustrates use of a couple of VBScript functions available you can call from your script:

  • CreateHardware(string): Create a <Hardware> element in the output NDI file.
  • LogMessage(string): Write a message to the ndtrack log file.

The script above will result in content like the following being placed into the NDI file (and subsequently in the HardwareClass, HardwareObject, HardwareProperty and HardwareValue tables in your inventory database once the NDI file is imported):

 

 

<Hardware Class="MyInfo" Evidence="CustomScript">
    <Property Name="AProperty" Value="The value"/>
    <Property Name="BProperty" Value="Another value"/>
</Hardware>

 

 

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thank you for the help

If you are interested in BitLocker, you can check the following branch in the Windows Registry:

HKLM \ Software \ Policies \ Microsoft \ FVE

The FVE folder will exist if BitLocker is installed and enabled only. Inside this folder, you find a lot of BitLocker related configuration settings, including a key 'EnableBDEWithNoTPM' that will have a value of '1' if the current device has a 'Trusted Platform Module' chip and a BIOS that allows storing the BitLocker encryption key.

When collecting Inventory data using the Flexera agent, you can use the 'IncludeRegistryKey' option for enforcing the collection of configuration data from this part of the Windows registry.