Monday, April 10, 2017

SCCM Compliance Item Bitlocker Status

We recently implemented Health Attestation in SCCM 1610. That took care of reporting requirements for our Windows 10 clients. However, in order to completely eliminate MBAM from our environment we still needed to report on legacy clients. So, how to create a compliance item that queries for Bitlocker status;

**Side note: Some troubleshooting done for the Windows 10 portion of with Health Attestation.
https://social.technet.microsoft.com/Forums/en-US/359c1cb5-5bb0-42a2-9151-0e0b3d769bcd/missing-health-attestation-data-in-sccm?forum=ConfigMgrCompliance


The script;

  1. Verify that bitlocker is enabled (=1) and encryption cipher method is 256 (=4) 
  2. Return Compliant or Non-Compliant
#############################

$BitlockerStatus = Get-WmiObject -Namespace “root\CIMV2\Security\MicrosoftVolumeEncryption” -Class Win32_EncryptableVolume -ErrorAction Stop| ?{$_.DriveLetter -eq "C:"} | select EncryptionMethod,ProtectionStatus
 
  #Status (0 = disabled, 1 = enabled)
  #Method {0 = none, 1 = 128diffuser, 2 = 256 diffuser, 3 = 128(default), 4 = 256(desired)}
 
  #Verify that Bitlocker is enabled and AES 256 is used
  if($BitlockerStatus.ProtectionStatus -eq 1 -and $BitlockerStatus.EncryptionMethod -eq 4)
  {write-host "Compliant"}
  else
  {write-host "Non-Compliant"}
#############################

The compliance item;




 View the deployment status under monitoring

 

Viewing the individual client report
at 1 comment:
Labels: , ,

Friday, February 17, 2017

Find Expiring Certificates in Local Computer Personal Store

I originally wrote this as a monitor for SolarWinds. I'm posting it here as it could also be used to do a foreach against an OU, csv, etc. Basically, search through the computer personal certificate store and return the certs that expire in X days.

########################


Import-Module WebAdministration
$Certificates = dir Cert:\localmachine\my
$today = get-date
$expirationcounter = 0

foreach ($cert in $Certificates)
{
    $thumbprint = $Cert.Thumbprint;
    $certdetails = Get-ChildItem Cert:\LocalMachine\my\$thumbprint | Select NotAfter,Subject,Issuer;

    if($certdetails.notafter -lt $today.AddDays(60))
    {
        $expiresin = $certdetails.NotAfter - $today
        Write-Host "Statistic:" $expiresin.days
        Write-Host 'Message: ' $certdetails.Subject
        $expirationcounter++
    }
}

if($expirationcounter -eq 0)
{
    Write-Host 'Statistic: ' 0
    Write-Host 'Message: No Certificates Found'
}
########################
at No comments:
Labels: , ,
Subscribe to: Posts (Atom)