Attempting to monitor if BitLocker is enabled

Assets & RMM Policies
1

I have assets that I have assigned the following process monitor:

Capto_Capture 2022-04-17_11-05-37_AM
Capto_Capture 2022-04-17_11-05-37_AM2102×1240 226 KB

Capto_Capture 2022-04-17_11-08-31_AM
Capto_Capture 2022-04-17_11-08-31_AM952×708 44.7 KB

Capto_Capture 2022-04-17_11-09-16_AM
Capto_Capture 2022-04-17_11-09-16_AM2268×1012 132 KB

Capto_Capture 2022-04-17_11-10-33_AM
Capto_Capture 2022-04-17_11-10-33_AM2078×1424 180 KB

However, it does not appear to be working or even assigned to the asset as part of a monitor. What am I missing to get this working properly?

Thanks!

2

Hi,

I run this script weekly:

Import-Module $env:SyncroModule

$Bitlocker = Get-Command Get-BitLockerVolume -ErrorAction SilentlyContinue
if ($Bitlocker -notlike $null) {
$BitlockVolume = Get-BitLockerVolume -Mountpoint "C:" 
$BitlockVolumeStatus = $BitlockVolume.VolumeStatus
$BitlockVolumeMethos = $BitlockVolume.EncryptionMethod
$BitlockerStatus = "$BitlockVolumeStatus - $BitlockVolumeMethos"
$BitlockerID = $BitlockVolume.KeyProtector | where-object {$_.KeyProtectorType -match "RecoveryPassword"} | Select-Object -ExpandProperty KeyProtectorId
$BitlockerKey = $BitlockVolume.KeyProtector | where-object {$_.KeyProtectorType -match "RecoveryPassword"} | Select-Object -ExpandProperty RecoveryPassword
$BitlockerID = $BitlockerID -replace '[{}]',""
Set-Asset-Field -Name "BitLockerStatus" -Value "$BitlockerStatus"
Set-Asset-Field -Name "BitLockerID" -Value "$BitlockerID"
Set-Asset-Field -Name "BitLockerKey" -Value "$BitlockerKey"
}
else {
Set-Asset-Field -Name "BitLockerStatus" -Value "Decrypted"
Set-Asset-Field -Name "BitLockerID" -Value "Decrypted"
Set-Asset-Field -Name "BitLockerKey" -Value "Decrypted"
}

You need to create those customfields before.

3

Thank you - but does the built in functionality of process/service monitoring not work?

4

Not sure if it is possible to monitor bitlocker this way. Have never checked the service itself.

5

Can anyone from Syncro chime in to see if this is possible?

6

Hi trinity-logix, can you send a screenshot of the service name in Task Manager while it’s running? Then when you stop the process for 5mins can you confirm that it’s not automatically restarting?

7

The BitLocker service is BDESVC, you’ll need to use the actual names of the service or process in order to monitor. There are scripts posted on here that will write the BitLocker key to some custom asset fields and you can sort and monitor that way. The above script will work, with a little modification, you can monitor more than just the C drive. The BitLocker service is a manual start, so all you’re really monitoring for is if the service is running, not if the drive is encrypted or not.

1 Like
8

Capto_Capture 2022-04-18_11-24-21_AM
Capto_Capture 2022-04-18_11-24-21_AM1357×136 17.2 KB

The service is stopped already. I will modify to the service name of BDESVC and report back.

9

Here’s the script I use. It will write to the custom fields if it’s not enabled, or it will provide the recovery key. You’ll just need to create the custom fields.

<############################

How to use:

This script gather the BitLocker volumes, gather the keys, and write the keys for each drive to an asset custom field.

Asset fields should be created with this format: BitLocker_key_[drive letter]
For example, BitLocker_key_C (case sensitive) would be for drive C. Each drive will need an asset field.
The script output will also state what field the key was saved to.

############################>

Import-Module $env:SyncroModule

$drives = (Get-BitLockerVolume).MountPoint.Replace(":","")
Write-Host "These BitLocker volumes were found: $drives `nGetting keys..."
Foreach ($i in $drives)
{
    $key = (Get-BitLockerVolume -MountPoint $i).keyprotector.recoverypassword
        If ($key) {
        Write-Host "BitLocker Key for Drive $i`: $key `nWritten to 'BitLocker_Key_$i' asset custom field"
        Set-Asset-Field -Name "BitLocker_Key_$i" -Value $key

    } else {
        Write-Host "No BitLocker keys found for Drive $i"
        Set-Asset-Field -Name "BitLocker_Key_$i" -Value "No BitLocker keys found for Drive $i"
    }
}
10

Capto_Capture 2022-04-18_11-30-33_AM
Capto_Capture 2022-04-18_11-30-33_AM1343×431 41.4 KB

Why would the process/service monitor not show up here?

11

This only shows the system monitors, not the custom ones we add. It would make sense for all this info to be here though. You’ll have to go into the Alerts tab and monitor from there.

1 Like
12

Just to be clear, what you are attempting to setup will tell you if the Bitlocker service is running on the device.

It will not tell you if the C drive (or any other drive for that matter) has Bitlocker encryption enabled.

Can you clarify which one you are trying to accomplish so that we can help you better?

1 Like
13

This was a first step in service monitoring using bitlocker as a sample service. I will eventually need a way to monitor if a device has BitLocker enabled or not for the OS drive. With the suggestion of monitoring the service name rather than the display name that did work properly.

What is the best way to monitor if a device has bitlocker enabled for the OS drive?

14

There is a fault in this script. It says Create Asset Field with BitLocker_key_C (Case Sensitive) and the code in the script is BitLocker_Key_$i with Capital K