-
1. Re: Bitlocker
phoffmannAug 13, 2018 8:25 AM (in response to krpj25)
Are we talking about BitLOCKER (the "Microsoft Windows disk encryption") or BitDEFENDER here (new 3rd party AV we provide)?
If it's the latter then check this article -- How to get started with Ivanti Antivirus 2017 (Bitdefender Engine) .
If it's the former (i.e. - actual BitLocker) then you need to do your research on Microsoft pages & such. By and large, we can run commands remotely as Local System (so encrypting stuff), which is all doable, but you'd need to look into "what you need us to run".
You can also use PowerShell scripts if that's easier than "just running commands".
But by and large it amounts to "do your research to know what you need us to execute ... and that part's a doddle".
I'd be astonished if Microsoft didn't have some method of autmating it.
As an aside - most folks I'm aware of tend to enable / make use of BitLocker during an OS refresh / re-build ... seems to cause fewer upsets with users and allows you (/the admins) to register any necessary recovery keys centrally without needing to rely on end-users to do so (which is a common element of failure).
-
2. Re: Bitlocker
krpj25 Aug 13, 2018 8:25 AM (in response to phoffmann)I was talking about the BITLOCKER from Microsoft. Thanks for all the feedback. I will look into powershell commands to do the trick
-
3. Re: Bitlocker
phoffmannAug 13, 2018 8:27 AM (in response to krpj25)
K - just wanted to make sure.
So yeah, should be "just" a matter of researching & developing the script (my guess, again, is Powershell being relatively easy).
If you're going to push this out onto (sort of) "unsuspecting" end-users, do be aware of their tendency to not follow instructions (such as informing you of recovery keys, etc) ... so where possible, try not to rely on them (again, one likely reason most folks I'm aware of who switch to BitLocker have done so as part of an OS-refresh / re-build process).
-
4. Re: Bitlocker
karlehenry Aug 13, 2018 9:11 PM (in response to phoffmann)1 of 1 people found this helpfulCorrect me if I am wrong but I as confirmed already there is no built in way, however, at interchange 2018, i believe it was mentioned that a feature like this may be coming to a future release. But if you need something more immediate:
BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) | Microsoft Docs
Also,
Microsoft BitLocker Administration and Monitoring 2.5 | Microsoft Docs
lastly,
BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) | Microsoft Docs
I also know that WinMagic is a partner of Ivanti and you may want to investigate this:
LANDESK, WinMagic Provide Enterprise-Grade Encryption | Ivanti
While throwing all this information at you, you will have to figure out what choice is best for you and your environment.
I hope this helps.
-
5. Re: Bitlocker
SGolden_00 Aug 16, 2018 1:55 PM (in response to krpj25)I've had need of doing this in the past. I would echo phoffmann about Powershell scripting. I had success with deploying this in Ivanti using a Powershell script. You can force it to send the key to AD as well so you don't need to have the user track anything, but you'll need to know how to enable all of that on the back end with AD.
Once you build your script and test it locally or on a test device, pop it into a package in Ivanti, and try a deployment. I'm not as familiar with the AD component, but after you actually enable it, you can check all of the rest either on the device directly or via an updated inventory scan (is encryption enabled? what kind?).
-
6. Re: Bitlocker
brad.e.smith Aug 29, 2018 9:26 AM (in response to krpj25)Just to piggyback off the discussion (seeing as how phoffmann has contributed and his word is GOLD in my environment), what reporting in terms of Ivanti 2017.3 would we be able to obtain in relation to Bitlocker [other than it being present]? Does Ivanti collect inventory data [by default] that would let us know the encryption status of drives? If not, are you all aware of a proven method to put in place to track that data in Mgmt Console?
-
7. Re: Bitlocker
SGolden_00 Aug 29, 2018 11:40 AM (in response to brad.e.smith)1 of 1 people found this helpfulIvanti does appear to collect inventory data that would provide encryption status. This is located in inventory under Mass Storage > Drive Encryption, where selection of the drive would show basics (conversion status, encryption method used, encryption percentage, lock status, protection status). I query those things to validate encryption status on the device itself.
-
8. Re: Bitlocker
SGolden_00 Aug 29, 2018 11:43 AM (in response to SGolden_00)1 of 1 people found this helpfulI realize I didn't drop in the powershell command or provide more detail on the AD component.
To enable encryption: you want to use the Enable-Bitlocker command. Your organizational needs will vary on what you want to set up here.
To enable backup to AD, you may want to set up a GPO along these lines. -
9. Re: Bitlocker
brad.e.smith Aug 29, 2018 12:21 PM (in response to SGolden_00)Thanks! I'll take a look at our data. At first glance, we don't have "Drive Encryption" listed under "Mass Storage" in our current inventories. I do, however, see it as an item to be queried. Maybe I need to take a look at out Inventory Settings in the config...(?)
We're exploring Bitlocker in our shop. Currently we're using McAfee but we're wanting to condense our security stack spread as far as vendors go.
-
10. Re: Bitlocker
phoffmannAug 29, 2018 12:23 PM (in response to brad.e.smith)
Just to piggyback off the discussion (seeing as how phoffmann has contributed and his word is GOLD in my environment),
Optimist
But aside from that - what SGolden_00 (Thanks!) stated is on the money. Inventory will report on the encrypted status of drives (in simple terms) ... if that's good enough for, that's great.
Otherwise, you can always go the "custom data" route (and - for instance - dump the data you want into the registry & pick that up, for instance). See here for more info -- Issue: Custom Data Registry Scan Not Working: How To Pull Registry Information Using The Manage Software List -- . Heck - you could do it as a custom vulnerability if you so wanted .
There's usually "at least 3 different ways of achieving the same thing" with EPM (something I've been saying for going on 10 years now, I think) ... just a matter of "which you like the most" so to speak .
-
11. Re: Bitlocker
phoffmannAug 29, 2018 12:35 PM (in response to brad.e.smith)
brad.e.smith wrote:
Thanks! I'll take a look at our data. At first glance, we don't have "Drive Encryption" listed under "Mass Storage" in our current inventories. I do, however, see it as an item to be queried. Maybe I need to take a look at out Inventory Settings in the config...(?)
We're exploring Bitlocker in our shop. Currently we're using McAfee but we're wanting to condense our security stack spread as far as vendors go.
I understand the thinking behind this, but "word of warning" ... this CAN lead to issues where SPOF ("single point of failure") applies.
"Oh noes - that 0-day vulnerability to 'Our_Vendor_Here'..."-conversations can get very iffy when there's a SPOF factor that laid bare the keys to your kingdom, as it were. It's the sort of thing which is why I've been coming around in recent years of having a preference for "multi-vendor" tiered security as well ... yes, it causes various "fun" situations in its own right ("Oh yay, X doesn't play nice with Y ...") ... but one does need to balance that with a SPOF can be a big risk.
It's one of those "whichever path you go down, it's going to cause you some problems" sort of choice, but I figured I'd pipe up about an alternate perspective, if it's any help.
-
12. Re: Bitlocker
brad.e.smith Aug 29, 2018 1:30 PM (in response to phoffmann)SGolden_00 and phoffmann , thank you BOTH for such quick and helpful feedback!
-
13. Re: Bitlocker
1EarEngineer Sep 24, 2018 2:01 PM (in response to krpj25)If you are looking at using Bitlocker with MBAM, see my post How To: Deploy MBAM 2.5 SP1 on Windows 7 with LDMS 9.6 SP2 . It's stayed the same for the most part.
If you are looking at enabling just Bitlocker, you can create an action that will use manage-bde -on C: where C is the letter of the drive you want to encrypt.