Dynamic Collection filter issue
I can't get the following to work:
Trying to create a dynamic collection that shows me clients that belong to a specific AD group, don't have BitLocker enabled on their local disk and also no PIN as a key protector.
Easy enough, I thought, I'll add those filters and voila.
The problem I then encountered was that the a client with the following device wouldn't leave the group, even tho the disk didn't match multiple filters.
This is possibly because of a second disk. Usually an SD card or USB drive. Obviously, these are not encrypted and surely have no protectors.
I want the filters only to look at disk drives of the media type 'Fixed hard disk media', so I've added that as well. Sadly, this still doesn't work. How do I apply the 2 Local Disk filters only to the 1 Disk Drive filter?
-
Just wanted to circle back and post my solution. In the end, I used a PowerShell scanner that I run every 4 hours to place hosts in a dynamic group if Bitlocker is not enabled on local drives. Here's the script for the scanner:
Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter} | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Select MountPoint,ProtectionStatus,EncryptionPercentage,VolumeStatus | Sort-Object MountPoint
That eliminates all USB drives that show up as Fixed.
From there, I could create dynamic groups for Bitlocker Not Enabled or Suspended:
Bitlocker Scanner Name, ProtectionStatus, Does Not Equal, OnAnd then separate out the groups into Not Enabled:
ALL ->
Bitlocker Scanner Name, ProtectionStatus, Equals, Off
Bitlocker Scanner Name, VolumeStatus, Equals, FullyDecryptedAnd into a group for Suspended (as is the case with fresh Windows installs or where Bitlocker has been manually suspended for firmware updates):
ALL ->
Bitlocker Scanner Name, ProtectionStatus, Equals, Off
Bitlocker Scanner Name, VolumeStatus, Equals, FullyEncryptedHope this helps someone.
Please sign in to leave a comment.
Comments
2 comments