How to determine BitLocker status and include the encryption information in the inventory?

Version 5

    Description

    This document applies to LDMS 9.0. LDMS 9.5 does include BitLocker Information in the inventory.

     

    Do you know if BitLocker is configured in your environment, and what its protection status is? And do you have that information in your inventory database and run a query against it?

     

    This document's aim is to show a simple way of determining whether BitLocker is configured to encrypt drives on a client, and include this information in your inventory database that you can query and use for other useful stuff.

     

    While the inventory scanner will report on the status of BitLocker service, it will not show you whether the drives on the client are actually encrypted. There is an enhancement request to include disk encryption information in the inventory. For those who are looking for an easy and quick solution right now, this article should help.

     

    Solution

    As a temporary solution we are going to use a VBScript that queries WMI (Win32_EncryptableVolume class). While basic the attached VBScript DriveEncryption.vbs shows a way of gathering and including disk encryption information in the inventory.

     

    The script queries WMI class Win32_EncryptableVolume for encryption information. It only looks at

     

    • Drive Letter
    • Persistent volume ID
    • Protection Status

     

    There are a whole bunch of other methods in this class that you can use. Follow this link for all available methods and their usage: Win32_EncryptableVolume class

     

    Other important section in the script is to write the queried Win32_EncryptableVolume methods into the Registry under "Software\Intel\LANDesk\Inventory\Custom Fields" or "Software\Wow6432Node\Intel\LANDesk\Inventory\Custom Fields" depending on the OS architecture. Anything written to "Custom Fields" will be included in the inventory scan by default.

     

    One note on the current inventory implementation. The inventory scanner does query and include available services on the clients along with their status. It is therefore already now possible to query the inventory for BitLocker service and its status. In your query just point to Inventory root | OS | Drivers and Services | Name and/or Inventory root | OS | Drivers and Services | Status.

     

    The VBScript should be self-explanatory. However, should you have any question or suggestion, please post a comment. Feel free to modify the script and post it.