Jump to content

Recommended Posts

Greetings;

 

I have a request to query how much of a laptop fleet supports hardware encryption. I inquired with LT support, but was told that because LT using smbios for hardware inventory, it has no information on TPM status.

 

I'm looking to recreate this sort of functionality, which if necessary I guess I could do as a VBScript that populates an EDF:

 

http://tech.scorpits.com/2013/09/sql-report-for-trusted-platform-module.html

 

Any other ideas?

Share this post


Link to post
Share on other sites

It looks like you can query TPM status via WMIC. So it looks like I could either upload invidual HTML file results, or populate an EDF with the results. Is there a good way in LT scripting to parse out values from a script? The WMIC line will return several values, and ideally I'd populate three EDFs with them.

 

The WMIC command:

wmic  /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get /value

 

WMIC will spit out this:

 

IsActivated_InitialValue=FALSE
IsEnabled_InitialValue=FALSE
IsOwned_InitialValue=FALSE
ManufacturerId=1229346816
ManufacturerVersion=3.17
ManufacturerVersionInfo=0311000800
PhysicalPresenceVersionInfo=1.0
SpecVersion=1.2, 2, 2

 

How do I look through %SHELLRESULT% or a text file output and set three values? DoI just use successive VARIABLE CHECK statements against %SHELLRESULT% and check each value?

Share this post


Link to post
Share on other sites

Thanks so much for sharing! It seems the script exits early on machines that aren't currently using bitlocker and never checks whether it has a TPM or not, since I don't have a full grasp of all the things this script is doing without documentation I don't really know what modifications to make so that it will check TPM anyway, could you tell me how to do that? Also I don't really know what the TPM Protector reinstall business is about? Sorry to be a pain!

Share this post


Link to post
Share on other sites

The TPM protector re install is because we found that on systems that have bitlocker errors, re installing the TPM protector is the fastest way to fix not being able to access a drive.

Lines 17 through 23 check for TPM you should be able to pull those as a scriptlet

Share this post


Link to post
Share on other sites
Thanks so much for sharing! It seems the script exits early on machines that aren't currently using bitlocker !

I ditto the thanks but I think there is a bug in that the exit script should be raised up to line 8 after "set extrafield bitlocker volume detected = 0 rather than after setting the date.

This way the script will check for on, if it finds it (bitlocker enabled) then it jumps to the date and proceeds with the rest of the checks. If it does not find ON then it marks the devices as not having bitlocker and exits.

 

As an alternative, disable the exit script and it will continue to check for TPM for you and report back.

 

Note that I found on my Windows 8.1 machine that I get the following error when checking the TPM settings -

 

14:52:01PS C:\andy\powershellinamonthoflunches> manage-bde -tpm -t

BitLocker Drive Encryption: Configuration Tool version 6.3.9600

Copyright © 2013 Microsoft Corporation. All rights reserved.

 

ERROR: Manage-bde cannot manage the Trusted Platform Module (TPM) in this version of Windows. To manage the Trusted Platform Module (TPM), use either

the TPM Management MMC snap-in or the TPM Management PowerShell cmdlets.

 

I suspect this script will not work as it stands with Windows 8 (.1) machines?

Share this post


Link to post
Share on other sites

I have not noticed any issues in 8 or 8.1 it should work. but 98% of our clients work with win 7 enterprise so we have not really tested this.

if you find a fix please post it. as I currently do not have the extra time to allocate to the script.

Share this post


Link to post
Share on other sites

Will do - although like you - not enough time in the day to work on it at the moment - it helped tremendously on win7 and I just happened to try it on my win8 machine and found the commands changed - so much for backward compatibility with Powershell ;-)

Share this post


Link to post
Share on other sites

I just came across this an imported it into our LabTech 10 server. It put all of the data into the date field and left all other fields blank or unchecked. If someone has updated this, please let me know. Otherwise I will work on this and re-upload it. I also want to build a report and a client rollup view for all of this data as well.

Share this post


Link to post
Share on other sites
I just came across this an imported it into our LabTech 10 server.

Oh you and your LT 10. I have been waiting so long for ours and we still are waiting. lol

Question 1 How do you like LT10

Question 2 How Awesome is Screen connect

and as soon as i get LT10 I will be working on this script again as it needs updates for windows 8.1 (starting to get an increased number of these machines, and now i guess it needs updating for lt10. not sure what has changed in the back-end but I suspect that a lot of our custom scripts will need work.

this brings me to question 3

Do you use many custom scripts and if so how many have you had to fix after the update

Share this post


Link to post
Share on other sites

LT 10 has not changed much at all. It is more Market Place to Solutions Center and other plugins.

 

Screen Connect is Awesome, but we already owned this prior to LT's integration with it, but the integration made things much easier.

 

We do have some custom scripts, but nothing has really changed on the backend so we haven't had to change any of our scripts.

 

I have quickly looked at the TMP script and I can't see why it isn't writing the info to the EDF's. They have been created and all seems like it should be working. May need to do DB agent and Update the Agent Plugin's or something for this to function.

Share this post


Link to post
Share on other sites

I've created the EDFs and imported the script, but I'm getting this error when I run it against a Server 2008 R2 machine (ID's and keys altered). Any idea what's going on?

 

The script(6000) failed in the THEN section  at step 9

Start	Bitlocker Key Retrieval and Repair
IF	True		Parameter1:  	Parameter2:  	Parameter3:  	Time Taken: 74238.6329604
L1	Shell	Parameters Hidden  	Time Taken: 74238.7421611
L2	Variable Check		Parameter1: BitLocker Drive Encryption: Co 	Parameter2: 8 	Parameter3: namespace 	Time Taken: 74280.4256283
Script Engine - BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: []
All Key Protectors

   TPM:
     ID: {24C4BE99-A3E9-40E9-AA6D-80A1FBCD74B5}

   Numerical Password:
     ID: {F79693DF-DD35-4525-B332-C0E137326595}
     Password:
       520729-008052-645172-660066-486882-274362-000748-217041

   External Key:
     ID: {4C2D0D89-AB2B-40C8-AAF4-185CCACE30A9}
     External Key File Name:
       4C2D0D89-AB2B-40C8-AAF4-185CCACE30A9.BEK variable doesn't exit - Performing Legacy Comparison
L3	Script Note		Parameter1: :Begin 	Parameter2:  	Parameter3:  	Time Taken: 74280.534829
L4	Powershell Command		Parameter1: manage-bde -status|select-stri 	Parameter2:  	Parameter3:  	Time Taken: 74280.6440297
L5	Variable Check		Parameter1: Protection Status:    Protecti 	Parameter2: 8 	Parameter3: On 	Time Taken: 74289.8792889
Script Engine - Protection Status:    Protection On variable doesn't exit - Performing Legacy Comparison
L9	ExtraData Set Value		Parameter1: 6824bbb7-0775-11e4-a485-00155d 	Parameter2: 5 	Parameter3: BitLocker Drive Encryption: Co 	Time Taken: 74289.9884896

Edited by Guest

Share this post


Link to post
Share on other sites

When I try to edit the script to see where it's failing I get this error:

 

---------------------------

 

---------------------------

Error loading script:Syntax error: Missing operand after 'abcd387' operator.

---------------------------

OK

---------------------------

 

once I hit OK, it loads up to line 7 and then just freezes. I can select other tabs in the script, but I never see the rest of it. I"m on LT10 SaaS.

Share this post


Link to post
Share on other sites

I had a customer of mine request we manage this for them.

 

1. Windows wants control of the TPM chip. If it doesn't own it, you have to run the snap-in to change ownership which requires someone in-front of the machine as it prompt during boot. Make sure you do this BEFORE you deploy.

 

2. BitLocker only works with the enterprise and ultimate editions of Windows Vista and Windows 7. Pro and Enterprise for Windows 8/8.1.

Share this post


Link to post
Share on other sites

Ok We just upgraded to LT10 this week. I will be looking to see if there is anything that I can Fix with this script as it has come time where we are bringing on another client that needs Bitlocker management.

Will post any fixes that I Make.

Share this post


Link to post
Share on other sites
Ok We just upgraded to LT10 this week. I will be looking to see if there is anything that I can Fix with this script as it has come time where we are bringing on another client that needs Bitlocker management.

Will post any fixes that I Make.

 

I just came across this script as I am looking to implement something similar. I haven't tried in LT 10 yet, but have you made any changes or noticed if it is or isn't working with LT 10?

Share this post


Link to post
Share on other sites

I have it working well on a hosted labtech.

 

Once you disable the "exit script" on line 10 in the script. it adds all the correct data to the correct field.

 

@cuatrocinco, I had that exact error, i just restarted my labtech client and opened the script up again.

Share this post


Link to post
Share on other sites

So one problem I see with the script (which works great on Windows 10 BTW) is that it only copies A (single) RECOVERY KEY. If the machine has multiple volumes encrypted, each of those have their own keys and it is not logged anywhere. Seems we would need to modify the script and EDF to record as many keys as are available along with what drive it is for. Thoughts? I know that using Get-BitLockerVolume will enumeratre all Bitlocker volumes, the mount point (drive letter) and stats. Then if you use (Get-BitLockerVolume -MountPoint E).KeyProtector and change the mount point letter to match a drive encrypted if gives you the key for it along with other data specific to that.

 

Also if you just run: (Get-BitLockerVolume).KeyProtector it dumps all of it but doesn't tell you what drive it is for.

Share this post


Link to post
Share on other sites

Interesting Information.

I am needing to run a report on bit locker keys so i will be working on this.

We had not had a need for multiple keys but i will see what I can do with that.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...