Attempting to monitor if BitLocker is enabled

I have assets that I have assigned the following process monitor:

However, it does not appear to be working or even assigned to the asset as part of a monitor. What am I missing to get this working properly?

Thanks!

Hi,

I run this script weekly:

Import-Module $env:SyncroModule

$Bitlocker = Get-Command Get-BitLockerVolume -ErrorAction SilentlyContinue
if ($Bitlocker -notlike $null) {
$BitlockVolume = Get-BitLockerVolume -Mountpoint "C:" 
$BitlockVolumeStatus = $BitlockVolume.VolumeStatus
$BitlockVolumeMethos = $BitlockVolume.EncryptionMethod
$BitlockerStatus = "$BitlockVolumeStatus - $BitlockVolumeMethos"
$BitlockerID = $BitlockVolume.KeyProtector | where-object {$_.KeyProtectorType -match "RecoveryPassword"} | Select-Object -ExpandProperty KeyProtectorId
$BitlockerKey = $BitlockVolume.KeyProtector | where-object {$_.KeyProtectorType -match "RecoveryPassword"} | Select-Object -ExpandProperty RecoveryPassword
$BitlockerID = $BitlockerID -replace '[{}]',""
Set-Asset-Field -Name "BitLockerStatus" -Value "$BitlockerStatus"
Set-Asset-Field -Name "BitLockerID" -Value "$BitlockerID"
Set-Asset-Field -Name "BitLockerKey" -Value "$BitlockerKey"
}
else {
Set-Asset-Field -Name "BitLockerStatus" -Value "Decrypted"
Set-Asset-Field -Name "BitLockerID" -Value "Decrypted"
Set-Asset-Field -Name "BitLockerKey" -Value "Decrypted"
}

You need to create those customfields before.

Thank you - but does the built in functionality of process/service monitoring not work?

Not sure if it is possible to monitor bitlocker this way. Have never checked the service itself.

Can anyone from Syncro chime in to see if this is possible?

Hi trinity-logix, can you send a screenshot of the service name in Task Manager while it’s running? Then when you stop the process for 5mins can you confirm that it’s not automatically restarting?

The BitLocker service is BDESVC, you’ll need to use the actual names of the service or process in order to monitor. There are scripts posted on here that will write the BitLocker key to some custom asset fields and you can sort and monitor that way. The above script will work, with a little modification, you can monitor more than just the C drive. The BitLocker service is a manual start, so all you’re really monitoring for is if the service is running, not if the drive is encrypted or not.

1 Like

The service is stopped already. I will modify to the service name of BDESVC and report back.

Here’s the script I use. It will write to the custom fields if it’s not enabled, or it will provide the recovery key. You’ll just need to create the custom fields.

<############################

How to use:

This script gather the BitLocker volumes, gather the keys, and write the keys for each drive to an asset custom field.

Asset fields should be created with this format: BitLocker_key_[drive letter]
For example, BitLocker_key_C (case sensitive) would be for drive C. Each drive will need an asset field.
The script output will also state what field the key was saved to.

############################>

Import-Module $env:SyncroModule

$drives = (Get-BitLockerVolume).MountPoint.Replace(":","")
Write-Host "These BitLocker volumes were found: $drives `nGetting keys..."
Foreach ($i in $drives)
{
    $key = (Get-BitLockerVolume -MountPoint $i).keyprotector.recoverypassword
        If ($key) {
        Write-Host "BitLocker Key for Drive $i`: $key `nWritten to 'BitLocker_Key_$i' asset custom field"
        Set-Asset-Field -Name "BitLocker_Key_$i" -Value $key

    } else {
        Write-Host "No BitLocker keys found for Drive $i"
        Set-Asset-Field -Name "BitLocker_Key_$i" -Value "No BitLocker keys found for Drive $i"
    }
}

Why would the process/service monitor not show up here?

This only shows the system monitors, not the custom ones we add. It would make sense for all this info to be here though. You’ll have to go into the Alerts tab and monitor from there.

1 Like

Just to be clear, what you are attempting to setup will tell you if the Bitlocker service is running on the device.

It will not tell you if the C drive (or any other drive for that matter) has Bitlocker encryption enabled.

Can you clarify which one you are trying to accomplish so that we can help you better?

1 Like

This was a first step in service monitoring using bitlocker as a sample service. I will eventually need a way to monitor if a device has BitLocker enabled or not for the OS drive. With the suggestion of monitoring the service name rather than the display name that did work properly.

What is the best way to monitor if a device has bitlocker enabled for the OS drive?