Jump to content




Sign in to follow this  
anyweb

How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ?



Recommended Posts

you might need to know if your drive is Protected with Bitlocker or not while in WinPE, so how do you do that ? by utilising a call to the GetProtectionStatus Method of the Win32_EncryptableVolume Class

Using Wmi Code Creator I put together a simple code to check for the value of this class, so the first code looked like this

 

wmicodegenerator.png

 

 

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_EncryptableVolume",,48)
For Each objItem in colItems
Wscript.Echo "-----------------------------------"
Wscript.Echo "Win32_EncryptableVolume instance"
Wscript.Echo "-----------------------------------"
Wscript.Echo "ProtectionStatus: " & objItem.ProtectionStatus
Next

 

 

And i've made it a bit more friendly so that it returns a MSGbox telling us what the value was determined to be in the code below

 

<job id="IsEncrypted">


<script language="VBScript" src="..\ZTIUtility.vbs"/>
<script language="VBScript">



strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_EncryptableVolume",,48)
For Each objItem in colItems
x=objItem.ProtectionStatus


Next

Dim oShell
Set oShell = CreateObject("WScript.Shell")

oEnvironment.Item("DRIVE_Protected") = False

retCode = x

msgbox "0=Protection OFF" &  vbCrLf & "1= Protection ON" &  vbCrLf & "2=Protection Unknown"  &  vbCrLf &  vbCrLf & "Protection Status Return code is:" & retcode,0, "Checking If Volume is Encrypted"

 	If(retCode = 2) OR (retCode = 1) Then
	oEnvironment.Item("DRIVE_Protected") = True  
 	End If

 	WScript.Quit(0)
 </script>
</job>

 

Once you are happy with the results, copy this script to your Bitlocker sub folder of the MDT 2010 update 1 scripts directory, update the package to the dp's and create a new Run Command Line step in the task sequence called Check ProtectionStatus

This step sets a variable called DRIVE_Protected = True if an encrypted volume is found (if the return code is 1 or 2) and we can base other steps in the task sequence upon this variable (ie: in a REFRESH scenario).

 

The actual run command line is as follows cscript.exe "%scriptroot%\bitlocker\IsVolumeEncrypted.wsf"

 

Next, On the Options tab of this step, set the Success Codes to 0 1 2

 

Place this step before the Partition and Format disc steps in your task sequence. That's it, now you have enough info to query the computer in WinPE to find out if theres an encrypted volume or not,

and based upon this do different actions in the task sequence.

 

Remember to rem out the MSGbox command if you want this to run uninteruptted/zero touch

 

cheers

niall

Share this post


Link to post
Share on other sites


Hi,

 

I want to encrypt the drive containing operating system.

 

In WMI code creator -> Execute a Method, I set namespace to "root\CIMV2\Security\MicrosoftVolumeEncryption", classes with methods to "Win32_EncryptableVolume", methods to "Encrypt".

But in"Select the instance ..." option, it does not list the DeviceID of the volume containing operation system.

 

Could you please let me know how to list the volume containing DeviceID in "Select the instance ..." option ?

 

Regards,

Yogi

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


×