Bitlocker Status while encrypting..
Hi, I'm having trouble creating a collection in PDQ Inventory (v 16.4.0.0) which contains workstations where the C: drive is either fully encrypted OR is in the process of encrypting.
In the first case it's easy because the "Bitlocker Protection" field is set to "True" when the drive is fully encrypted also the Encryption % and other relevant Bitlocker fields then also appear populated. The problem is with a computer which is in the process of encrypting.. Unfortunately here, none of the relevant Bitlocker fields are getting populated by the computer scans..
In the screenshot you can see that nothing is populated although as can be seen in the second image below running "manage-bde -status" on the same computer shows that the drive is in fact encrypting..
Is this a bug in PDQ Inventory or is there something I need to do to get the other Bitlocker fields to populate for the encrypting drives. Alternatively, is there another way to create the collection I want?
Thanks in advance for any help/suggestions.
Comments
Anybody, any ideas?
Hello there! I'm sorry to hear that you're running into some issues.
I've got a couple of thoughts.
First - I notice that you were in the process of encrypting which keeps the Protection Status of bitlocker as Off (until it completes). I'm guessing you've already tried this, but have you attempted to scan that machine after the disk encryption fully completed? (You'll need to use a Scan Profile that has the Disks scanner included -- the Standard Scan Profile has that by default.)
Second - What does
manage-bde -statusshow for that machine now? In PowerShell, what doesGet-CimInstance -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -ClassName Win32_EncryptableVolumeshow? They should be reporting the same information. Specifically, I want to make sure that Protection Status isn't showing 0 (or Off) for that drive.I've tested this on one of my machines that I have bitlocker enabled on and I'm getting back the appropriate bitlocker information in PDQ Inventory.
In any case, you're always welcome to open up a ticket with our Solutions Team for more in-depth investigation.
Cheers, Kris
Hi Kris, Thanks for your reply.. To answer your questions: I have obviously run Scans in PDQ Inventory and the "manage-bde -status" and Powershell "Get-CimInstance...." and also the "Get-BitlockerVolume" Outputs all show the correct information and correlate with each other.
I understand that the Protection Status will show as "Off" until the drive is fully encrypted and once the machine is fully encrypted the Protection Status shows as ON and the "% Encrypted" shows (correctly) as 100%.
This is exactly the same as Manage-BDE behaves and is to be expected.
My Problem is that after Bitlocker is activated BUT BEFORE the drive is fully encrypted none of the values appear in PDQ.. I am in the process of enabling Bitlocker (with a Script pushed out from PDQ Deploy) on many client computers, and I want to create 2 collections:
Should have been easy, considering the relevant fields (Conversion Status, % Encrypted, etc.) are available in PDQ inventory - it just appears that they are not getting populated with any values (except when the drive is 100% encrypted)..
Okay, I'm following you now. Thanks for the clarification!
I have a sneaking suspicion that we're only pulling those relevant fields after we verify that a drive is encrypted.
Go ahead and open up a support ticket with us and we'll be able to do a deep dive into what's going on.
In the meantime, you could also create a wmi scanner and query Win32_EncryptableVolume for some of the basic information (such as ConversionStatus) in order to determine if a drive is in the process of encrypting.
Cheers,