cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bitlocker status audit via System Manager

Comes here often

Bitlocker status audit via System Manager

Hi,

 

Using SM across a mixed estate of MacOS, iOS and Win10 endpoints.

 

All working well, apart from the inability to audit or manage Disk encryption on the Win10 endpoints. I understand there was a trial of this last year, but no current capabilities.

 

Can anyone advise:

  • If this is roadmap feature with an ETA 
  • Any workaround/scripts/apps that can be used to record/populate the disk encyption status of a number of SM registed Win10 machines?

 

7 REPLIES 7
Kind of a big deal

Re: Bitlocker status audit via System Manager

I don't know the answers.  I know you can use the command 'manage-bde –status' to get the bitlocker status.  You can probably get it via some Powershell API as well.

 

You would need to write a script to retrieve the info and then store it somehwhere.

Comes here often

Re: Bitlocker status audit via System Manager

Sure that works locally in a Powershell terminal with Admin rights....

 

Can I run a powershell script remotely via system manager? I have a number of remote endpoints on different networks, no relevant Domain etc.

Comes here often

Re: Bitlocker status audit via System Manager

Anyone else able to assist?

 

Meraki Support not answered a Case in several days - amazed that anyone using Meraki on a Windows Endpoints does not audit Bitlocker status?

T1
Getting noticed

Re: Bitlocker status audit via System Manager

We push Powershell scripts to Windows endpoints wrapped as .msi. Script enables encryption on remote machines and reports back to a VM in Azure with encryption status and recovery key. Didn't implement an audit (waiting for Meraki to do it), but it is fairly easy to run a script as a scheduled task and report Bitlocker status on a regular basis to some kind of a centralised location.

Comes here often

Re: Bitlocker status audit via System Manager

Thanks for responding. Will looking into wrapping a script (presumably something with 'manage-bde -status') into an msi.

Does that get tracked as installed on Meraki, or does it just run once and show as not installed? I was considering exploring the 'command' option for a script but have read mixed results

It's also annoying as will have to build some form of host server for all the endpoints to call home, which we currently don't have/need.
T1
Getting noticed

Re: Bitlocker status audit via System Manager

Once device is encrypted, we add "encrypted" to notes field but that's about it. We are not happy with all these workarounds we have to do to fix a piece of functionality which should be there out of the box. Monitoring encryption status is possible and not hard to implement but MDM is still in early stages of rollout so this is not high on our list of priorities.

 

At our last meeting with Meraki they were quite surprised to hear what we do with scripts. As far as I understood them, they are still trying to prioritize which MDM controls to implement for Win 10 platform.

KPA
New here

Re: Bitlocker status audit via System Manager

We are having the same issue with using System Manager. It is not able to manage and enforce BitLocker on Windows Devices. We have resorted to using TruGrid BitLocker Management for this.

 

Kay

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels