Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Dynamic Collection filter issue

I can't get the following to work:

Trying to create a dynamic collection that shows me clients that belong to a specific AD group, don't have BitLocker enabled on their local disk and also no PIN as a key protector.

Easy enough, I thought, I'll add those filters and voila.

The problem I then encountered was that the a client with the following device wouldn't leave the group, even tho the disk didn't match multiple filters.

This is possibly because of a second disk. Usually an SD card or USB drive. Obviously, these are not encrypted and surely have no protectors.

I want the filters only to look at disk drives of the media type 'Fixed hard disk media', so I've added that as well. Sadly, this still doesn't work. How do I apply the 2 Local Disk filters only to the 1 Disk Drive filter?

 

1

Comments

2 comments
Date Votes
  • I realize this is very old, but I'm having the same issue. Were you ever able to resolve this? Media Type and Bitlocker Protection don't see to exclude hosts that have external USB drives.

    0
  • Just wanted to circle back and post my solution. In the end, I used a PowerShell scanner that I run every 4 hours to place hosts in a dynamic group if Bitlocker is not enabled on local drives. Here's the script for the scanner:

    Get-Disk | Where-Object {$_.bustype -ne 'USB'} | Get-Partition | Where-Object { $_.DriveLetter} | Select-Object -ExpandProperty DriveLetter | Get-BitLockerVolume | Select MountPoint,ProtectionStatus,EncryptionPercentage,VolumeStatus | Sort-Object MountPoint

    That eliminates all USB drives that show up as Fixed.

    From there, I could create dynamic groups for Bitlocker Not Enabled or Suspended:
    Bitlocker Scanner Name, ProtectionStatus, Does Not Equal, On

    And then separate out the groups into Not Enabled:
    ALL ->
        Bitlocker Scanner Name, ProtectionStatus, Equals, Off
        Bitlocker Scanner Name, VolumeStatus, Equals, FullyDecrypted

    And into a group for Suspended (as is the case with fresh Windows installs or where Bitlocker has been manually suspended for firmware updates):
    ALL ->
        Bitlocker Scanner Name, ProtectionStatus, Equals, Off
        Bitlocker Scanner Name, VolumeStatus, Equals, FullyEncrypted

    Hope this helps someone.

    0