13 Replies Latest reply on Sep 24, 2018 2:01 PM by 1EarEngineer

    Bitlocker

    krpj25 Rookie

      Does anyone know how to enable bitlocker using Ivanti?

        • 1. Re: Bitlocker
          phoffmann SupportEmployee

          Are we talking about BitLOCKER (the "Microsoft Windows disk encryption") or BitDEFENDER here (new 3rd party AV we provide)?

           

          If it's the latter then check this article -- How to get started with Ivanti Antivirus 2017 (Bitdefender Engine) .

           

          If it's the former (i.e. - actual BitLocker) then you need to do your research on Microsoft pages & such. By and large, we can run commands remotely as Local System (so encrypting stuff), which is all doable, but you'd need to look into "what you need us to run".

           

          You can also use PowerShell scripts if that's easier than "just running commands".

           

          But by and large it amounts to "do your research to know what you need us to execute ... and that part's a doddle".

           

          I'd be astonished if Microsoft didn't have some method of autmating it.

           

          As an aside - most folks I'm aware of tend to enable / make use of BitLocker during an OS refresh / re-build ... seems to cause fewer upsets with users and allows you (/the admins) to register any necessary recovery keys centrally without needing to rely on end-users to do so (which is a common element of failure).

          • 2. Re: Bitlocker
            krpj25 Rookie

            I was talking about the BITLOCKER from Microsoft.  Thanks for all the feedback.  I will look into powershell commands to do the trick

            • 3. Re: Bitlocker
              phoffmann SupportEmployee

              K - just wanted to make sure.

               

              So yeah, should be "just" a matter of researching & developing the script (my guess, again, is Powershell being relatively easy).

               

              If you're going to push this out onto (sort of) "unsuspecting" end-users, do be aware of their tendency to not follow instructions (such as informing you of recovery keys, etc) ... so where possible, try not to rely on them (again, one likely reason most folks I'm aware of who switch to BitLocker have done so as part of an OS-refresh / re-build process).

              • 4. Re: Bitlocker
                karlehenry Apprentice

                Correct me if I am wrong but I as confirmed already there is no built in way, however, at interchange 2018, i believe it was mentioned that a feature like this may be coming to a future release. But if you need something more immediate:

                 

                BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) | Microsoft Docs

                 

                Also,

                 

                Microsoft BitLocker Administration and Monitoring 2.5 | Microsoft Docs

                 

                lastly,

                 

                BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) | Microsoft Docs

                 

                I also know that WinMagic is a partner of Ivanti and you may want to investigate this:

                 

                LANDESK, WinMagic Provide Enterprise-Grade Encryption | Ivanti

                 

                While throwing all this information at you, you will have to figure out what choice is best for you and your environment.

                 

                I hope this helps.

                1 of 1 people found this helpful
                • 5. Re: Bitlocker
                  SGolden_00 Rookie

                  I've had need of doing this in the past.  I would echo phoffmann about Powershell scripting.  I had success with deploying this in Ivanti using a Powershell script. You can force it to send the key to AD as well so you don't need to have the user track anything, but you'll need to know how to enable all of that on the back end with AD.

                   

                  Once you build your script and test it locally or on a test device, pop it into a package in Ivanti, and try a deployment.  I'm not as familiar with the AD component, but after you actually enable it, you can check all of the rest either on the device directly or via an updated inventory scan (is encryption enabled?  what kind?).

                  • 6. Re: Bitlocker
                    brad.e.smith Apprentice

                    Just to piggyback off the discussion (seeing as how phoffmann has contributed and his word is GOLD in my environment), what reporting in terms of Ivanti 2017.3 would we be able to obtain in relation to Bitlocker [other than it being present]?  Does Ivanti collect inventory data [by default] that would let us know the encryption status of drives? If not, are you all aware of a proven method to put in place to track that data in Mgmt Console?

                    • 7. Re: Bitlocker
                      SGolden_00 Rookie

                      Ivanti does appear to collect inventory data that would provide encryption status.  This is located in inventory under Mass Storage > Drive Encryption, where selection of the drive would show basics (conversion status, encryption method used, encryption percentage, lock status, protection status).  I query those things to validate encryption status on the device itself.

                      1 of 1 people found this helpful
                      • 8. Re: Bitlocker
                        SGolden_00 Rookie

                        I realize I didn't drop in the powershell command or provide more detail on the AD component. 

                         

                        To enable encryption: you want to use the Enable-Bitlocker command.  Your organizational needs will vary on what you want to set up here.
                        To enable backup to AD, you may want to set up a GPO along these lines.

                        1 of 1 people found this helpful
                        • 9. Re: Bitlocker
                          brad.e.smith Apprentice

                          Thanks! I'll take a look at our data. At first glance, we don't have "Drive Encryption" listed under "Mass Storage" in our current inventories. I do, however, see it as an item to be queried. Maybe I need to take a look at out Inventory Settings in the config...(?)

                           

                          We're exploring Bitlocker in our shop. Currently we're using McAfee but we're wanting to condense our security stack spread as far as vendors go.

                          • 10. Re: Bitlocker
                            phoffmann SupportEmployee

                            Just to piggyback off the discussion (seeing as how phoffmann has contributed and his word is GOLD in my environment),

                            Optimist

                             

                            But aside from that - what SGolden_00 (Thanks!) stated is on the money. Inventory will report on the encrypted status of drives (in simple terms) ... if that's good enough for, that's great.

                             

                            Otherwise, you can always go the "custom data" route (and - for instance - dump the data you want into the registry & pick that up, for instance). See here for more info -- Issue: Custom Data Registry Scan Not Working: How To Pull Registry Information Using The Manage Software List -- . Heck - you could do it as a custom vulnerability if you so wanted .

                             

                            There's usually "at least 3 different ways of achieving the same thing" with EPM (something I've been saying for going on 10 years now, I think) ... just a matter of "which you like the most" so to speak .

                            • 11. Re: Bitlocker
                              phoffmann SupportEmployee

                              brad.e.smith wrote:

                               

                              Thanks! I'll take a look at our data. At first glance, we don't have "Drive Encryption" listed under "Mass Storage" in our current inventories. I do, however, see it as an item to be queried. Maybe I need to take a look at out Inventory Settings in the config...(?)

                               

                              We're exploring Bitlocker in our shop. Currently we're using McAfee but we're wanting to condense our security stack spread as far as vendors go.

                              I understand the thinking behind this, but "word of warning" ... this CAN lead to issues where SPOF ("single point of failure") applies.

                               

                              "Oh noes - that 0-day vulnerability to 'Our_Vendor_Here'..."-conversations can get very iffy when there's a SPOF factor that laid bare the keys to your kingdom, as it were. It's the sort of thing which is why I've been coming around in recent years of having a preference for "multi-vendor" tiered security as well ... yes, it causes various "fun" situations in its own right ("Oh yay, X doesn't play nice with Y ...") ... but one does need to balance that with a SPOF can be a big risk.

                               

                              It's one of those "whichever path you go down, it's going to cause you some problems" sort of choice, but I figured I'd pipe up about an alternate perspective, if it's any help.

                              • 12. Re: Bitlocker
                                brad.e.smith Apprentice

                                SGolden_00 and phoffmann , thank you BOTH for such quick and helpful feedback!

                                • 13. Re: Bitlocker
                                  1EarEngineer Specialist

                                  If you are looking at using Bitlocker with MBAM, see my post How To: Deploy MBAM 2.5 SP1 on Windows 7 with LDMS 9.6 SP2 . It's stayed the same for the most part.

                                  If you are looking at enabling just Bitlocker, you can create an action that will use manage-bde -on C: where C is the letter of the drive you want to encrypt.