BitLocker Detection and Recovery Key Retrieval 2.0
KASEYAN
Product Name: BitLocker Detection and Recovery Key Retrieval
Version: 2.0
Description : This agent procedure checks the C drive to see if it is encrypted using BitLocker and extract the BitLocker Recovery key then document the results to the asset, in the Audit module. This uses Custom Fields in VSA allowing you to create Views, Report on it, or even use the View in a Policy.
If you want to check other drives, you just need to edit the PowerShell command in the Agent Procedure to check a different disk.
This agent procedure is the latest version that performs some error checking before entering the result in the custom field. It checks for the presence of the BitLocker feature as the previous version wasn’t accurate in these cases.
Instructions :
This requires you to create two custom fields named BitLocker Status and BitLocker Recovery Key of type String. Once the Custom Fields are created, you can import the Agent Procedure.
You can create Custom Fields in the Audit module by going to:
VSA > Audit > View Individual Data > Machine Summary
Then import the Agent Procedure by going to:
VSA > Agent Procedures > Schedule / Create
After it has been properly imported the you just need to run this against your Windows endpoints. You can either run them manually or add it to a Policy under a schedule to run however often you want.
Documentation is included in the download.
Comments
-
This works, but the temporary text file that's created doesn't get deleted. Can that be fixed?
0 -
@Rob S, just add a line in your procedure to delete the temporary file after it's been read into the custom field.
0 -
Jeff is correct. I had taken it out of the original script for testing purposes and never put it back.
0 -
Actually, the line is there, but it doesn't seem to work? (or at least it's not doing what it should).
0 -
I figured it out - the line was there, but was just disabled (didn't realise that was a thing!) - but all now working as expected. Thanks!0
-
We've been using this for a few months and for the most part it works wonderfully (thank you!) but occasionally we get some false negatives. Devices will have the Bitlocker Status custom field set to "Not encrypted" however after running Get-BitlockerVolume is shows as FullyEncrypted and running the (Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword command will print the key. Any ideas why this happens to a few? Running the procedure after verifying the commands results in a success then with no other comments (except for the skip unsupported OS steps) but the field doesn't change.
0 -
We're using the cloud VSA, and are having trouble importing this XML. Are we missing something obvious?
The file, if uploaded as an XML, just gives a genereic please upload an XML ex
0 -
Im getting the same error as @JesusShahid
Would love to start using this, any help is appreciated.
0 -
Hey @Dave Woodfill and @JesusShahid here is the fix to the procedure.
Remove the periods obviously but its has the tool required to fix the tags which aren't in the new procedure environment anymore. Once you run it on the .xml you can import it and run it successfully😀.
1 -
Hello,
thanks for the nice script, used it already on on-premise but we step over to SAAS. Now we get error, when there is more then one key !
FAILED in processing THEN step 3, Update System Info, with error Database access error, Failed SQL command: IF EXISTS (SELECT agentGuid FROM auditRsltManualFieldValues WHERE ((agentGuid = ?) AND (fieldNameFK IN (SELECT id FROM auditRsltManualFields WHERE ((fieldName = ?) AND (partitionId = (SELECT partitionId FROM machNameTab WHERE agentGuid = ?))))))) UPDATE auditRsltManualFieldValues SET fieldValue = ? WHERE ((agentGuid = ?) AND (fieldNameFK IN (SELECT id FROM auditRsltManualFields WHERE ((fieldName = (Line 22)
if copy the keys manuel it work (even it's long string )
any help is appreciated
Thanks
0 -
This worked great for us, thank you! It takes a couple minutes to process and update, so if you check the custom fields immediately after running the procedure, it may not show up yet. I had to follow the guide regarding the XML-Tool that JPayne commented about before I could import.
0 -
This worked great for us, thank you! It takes a couple minutes to process and update, so if you check the custom fields immediately after running the procedure, it may not show up yet. I had to follow the guide regarding the XML-Tool that JPayne commented about before I could import.
0 -
This worked great for us, thank you! It takes a couple minutes to process and update, so if you check the custom fields immediately after running the procedure, it may not show up yet. I had to follow the guide regarding the XML-Tool that JPayne commented about before I could import.
0 -
Works great thank you
0 -
Works great thank you
0 -
Works great thank you
0 -
Works great thank you
0 -
Hey @Dave Woodfill and @JesusShahid here is the fix to the procedure.
Remove the periods obviously but its has the tool required to fix the tags which aren't in the new procedure environment anymore. Once you run it on the .xml you can import it and run it successfully😀.
0 -
We are having issues where sometimes the script fails on the first line when checking the OS type but also if there are multiple keys the custom field never updates. Has anyone come across this issue?
1 -
Seeing the same issue as Ruppert with some failures when checking OS: if checkVar ("#vMachine.OsInfo#") Contains "Server"
0
