Bitlocker deployment and reporting.

… the Altiris way, however, the concept would be pretty much the same for any other CMS systems. I’m currently working on such project so I decided to write down the entire process here onto my notepad (who knows, maybe there’s someone out there in the intertubes that is now sitting and scratching his head thinking where to start with Altiris Bitlocker depoloyment?)

First things first, what do we need ?

1. We need to make sure our machines have TPM chip as what we’re going to do is to enable and activate it using simple script, then take ownership of it by securing it with the password. This will allow us to start encryption.
I am aware there are ways to enable Bitlocker without TPM, but its not the case here. If you want to find out more about it, google it.

2. You need to have a GPO configured to use Bitlocker and applied to computers prior to do any of the bellow tasks.

3. Once the GPO is configured and applied, the following command sequence must be run on the destination computers:

–  manage-bde.exe -tpm -turnon – this command enables and activates TPM chip

Reboot – you need to restart PC and confirm configuration change by pressing F1 at boot.

– manage-bde -tpm -o yourtpmpasswordhere – this command takes TPM ownership

– manage-bde -on c: -rp -em aes256 – assuming we’re encrypting C: with aes256

4. Now, as a side note, whats the easiest way to check if the first command worked and the TPM is enabled and activated (assuming you want to check this remotely) . Use WMI. You can do so directly from WMI console or by command prompt by addming wmic.exe before the command.

– To check if TPM is enabled: /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue

– To check if TPM is activated: /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsActivated_InitialValue

5. Creating Software Packages with simple .bat scripts that will execute above commands. Software Packages must be set within the Managed Software Delivery Policy in the exact order listed above (3.)

TPM enable and activate – also creates “Bitlocker” folder on systemdrive and the .txt files, that you can use for detection rules. If you prefer more fancy way, you can play with vbs detection rules, but honestly, there’s no need to do so.

REBOOT! – You must reboot PC at this point and get user to press F1!

Bellow notification popup will appear on user’s screen :

 

6. Reporting:

6.1 – Creating Custom Data Classes in Altiris.

Altiris Console: Settings\All settings\Discovery and Inventory\Inventory Solution\Manage Custom Data Classes

Add new Data Classes:
Expanded Bitlocker Status – this will collect encryption status info such as conversion status, percentage encrypted, encryption method etc.
Bitlocker Recovery info – encrypted drive letter and your recovery ID
TPM Status – TPM status.

Add bellow attributes for each:

 

 


6.2 Create Custom Tasks:

Altiris Console: \Manage\Jobs / Tasks\Samples\Discovery and Inventory\Inventory Samples\Custom

Clone Custom Inventory – Processor and create the following:

Custom Inventory – Bitlocker Status

Script type: VBScript – copy and paste bellow script then Save changes

NOTE: Altiris 7.6 likes data class name more than GUID as the previours Altiris versions so its recommended to use data class name in the script!

– Custom Inventory – Bitlocker Recovery Info

Script type: VBScript – copy and paste bellow

– Custom Inventory – TPM Status

Script type: VBScript – copy and paste bellow script then Save changes

Now, you can “Quick run” the task on any machine you want, or you can specify a filter then apply the task to it – this will create new custom inventory  for each computer with all the data you’re collecting:

Altiris console: \Computers\All Computers\ – search for computer you’d like to check, right click and select Resource Manager. Go to “View”, “Inventory” then expand “Data Classes”\”Inventory”\”Custom” and tour class is there with all the info.
6.3 Create Bitlocker report

Altiris Console: \Reports\All Reports\ – New Report\Computer report

Yo need to show Altiris where to look at. Go to “Fields” and add the following:

Save Changes and run report.

7. Creating Dynamic Deployment filter that will include all laptops

Lets say we want to deploy it to all laptops as well as any new build laptop will also receive the policy. We need dynamic filter for this that will identify machines by chassis type (here are all values listed – you can compose an SQL query based on that). The one bellow searches for machines thata 9 – Are laptop, 10 – are notebook, 12 – has docking station

Create new filter and select Filter definition: Query Mode: Raw SQL

 

Leave a Reply