This is going to be the first in a number of blog posts that will give ideas/starting points for adding more value to your client monitoring. In this series I will not be focusing on how to create these monitors, more the code that can be used. I cover creating remote monitor creation here if you are not sure how to go about creating these.
Today’s monitor is a monitor that finds any Bitlocker that has a protection status of anything but on. If you want to build this into a search/group structure as per the article I linked to above, I have a role detection to easily single out any machine where Bitlocker is being “used” available here.
"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "& {$Result = Get-BitLockerVolume | Where-Object {$_.ProtectionStatus -ne 'On'} | Measure-Object | Select -ExpandProperty Count; Write-Output $Result}"Remote Monitor Tips:
- Powershell remote monitors largely start in the same way, POWERSHELL HERE being replaced for, unsurprisingly, Powershell
"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "& {POWERSHELL HERE}"
- Powershell remote monitors can be executed from a normal command prompt (may need to run as Administrator)
- Remote monitors check for GOOD conditions, not bad. In this monitors case a count of 0 is the condition you should check for on the actual monitor
Seems like this monitor is catching USB drives that are temporarily plugged in as not being Bitlocker’d. Would it be appropriate to add “-MountPoint C:” to the Powershell command? Although I suppose there could be secondary data disks that should have Bitlocker that would then be excluded. What do you think is the best way to resolve?