Thank you very much Treilly! This certainly helps us identify systems that have Bitlocker on/off. I think that the Disk Scanner in Inventory would still be ideal since it would tell us which system drives are encrypted and which ones are not.
Once identified can Bitlocker be turned off remotely? We now have a way to put McAfee Encryption on devices that had Bitlocker installed and of course are deployed out into service, so we would benefit from turning it off remotely.
Has there been any update on this feature request? I've gotten very familiar with the 'manage-bde' commands but I've been unable to get the 'rebootcount' to work. It gives me an error 'Invalid Syntax "-rc" was not understood'. The command I used is
hey Jeff, I just found this and it's really helpful. We are trying to find the computers that do not have a PIN on them. Is there a way to make a collection that will show me computers that DO NOT have TPM And Pin as a key protector?
I just struggled with this today as well but now I have a working PDQ Deploy package that suspends Bitlocker for 1 restart (For example if you use a startup PIN). Just use the command below.
Comments
If possible, this would be very helpful. We have found that MBAM reporting is not very accurate.
We are looking into collecting BitLocker information as part of the Disks scanner in Inventory.
Thanks Shane, I think that would be a great addition!
Agreed, this would be an excellent feature.
You can Make a Dynamic Collection for both of these conditions nested.
( Filter=Service | Column=Description | Comparison=Contains | Value=BDESVC)
( Filter=Service | Column=State | Comparison=Contains | Value=Running)
Thank you very much Treilly! This certainly helps us identify systems that have Bitlocker on/off. I think that the Disk Scanner in Inventory would still be ideal since it would tell us which system drives are encrypted and which ones are not.
Once identified can Bitlocker be turned off remotely? We now have a way to put McAfee Encryption on devices that had Bitlocker installed and of course are deployed out into service, so we would benefit from turning it off remotely.
Duane - If you have any remote management suite that can send commands you can do so with the manage-bde command: https://technet.microsoft.com/en-us/library/Ff829849.aspx
Has there been any update on this feature request? I've gotten very familiar with the 'manage-bde' commands but I've been unable to get the 'rebootcount' to work. It gives me an error 'Invalid Syntax "-rc" was not understood'. The command I used is
manage-bde -protectors -disable c: -rc 1
Chris - I could use PDQ deploy enterprise to do this? I am not familiar with the manage-bde command
In PDQ Inventory I've created a custom tool to suspend Bitlocker and another one to resume. Below is the command line to disable.
C:\Program Files (x86)\PSTools\psexec.exe -accepteula \\%Target% -s %windir%\system32\Manage-bde.exe -protectors -disable c:
I've also created a package in PDQ Deploy to do the same thing using the command below.
%windir%\system32\Manage-bde.exe -protectors -disable c:
When will this become available?
Hi Jeffrey,
This is included in Inventory 8 under the Disk Drives panel.
hey Jeff, I just found this and it's really helpful. We are trying to find the computers that do not have a PIN on them. Is there a way to make a collection that will show me computers that DO NOT have TPM And Pin as a key protector?
Or is there some kind of report we could create?
In reply to Zack's request
I just struggled with this today as well but now I have a working PDQ Deploy package that suspends Bitlocker for 1 restart (For example if you use a startup PIN). Just use the command below.
Suspend-BitLocker -MountPoint "C:" -RebootCount
Please sign in to leave a comment.