-
Notifications
You must be signed in to change notification settings - Fork 2
/
Procedure Win - Audit Encryption Status.xml
81 lines (81 loc) · 5.86 KB
/
Procedure Win - Audit Encryption Status.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?xml version="1.0" encoding="utf-8"?>
<ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting">
<Procedure name="Win - Audit Encryption Status" treePres="3" id="1258250728" folderId="505213248545868" treeFullPath="Auditing">
<Body description="Check if Windows encryption on a machine is enabled or not. Update the custom System Info field "Encrypted" to Yes or No.">
<If description="">
<Condition name="True" />
<Then>
<Statement name="Execute Shell Command - Get Results to Variable" continueOnFail="true" osType="Windows">
<Parameter xsi:type="StringParameter" name="Parameter1" value="%systemdrive%\Windows\System32\manage-bde.exe -status" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="True" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="System" />
</Statement>
<If description="">
<Condition name="CheckVariable">
<Parameter xsi:type="StringParameter" name="VariableName" value="#global:cmdresults#" />
<Parameter xsi:type="EnumParameter" name="Condition" value="Contains" />
<Parameter xsi:type="StringParameter" name="Value" value="Protection On" />
</Condition>
<Then>
<Statement name="UpdateSystemInfo" continueOnFail="false" osType="Windows">
<Parameter xsi:type="StringParameter" name="ColumnName" value="Encrypted" />
<Parameter xsi:type="StringParameter" name="Value" value="Yes" />
</Statement>
</Then>
<Else>
<Statement name="UpdateSystemInfo" continueOnFail="false" osType="Windows">
<Parameter xsi:type="StringParameter" name="ColumnName" value="Encrypted" />
<Parameter xsi:type="StringParameter" name="Value" value="No" />
</Statement>
<Statement name="Execute Powershell Command (64-bit, Run As System)" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="If (Get-WinEvent -LogName 'Microsoft-Windows-BitLocker/BitLocker Management' | where {$_.Id -eq '778' -and $_.TimeCreated -gt (Get-Date).AddDays(-1)} | select Id,TimeCreated){$true}else{$false}" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="True" />
</Statement>
<If description="">
<Condition name="CheckVariable">
<Parameter xsi:type="StringParameter" name="VariableName" value="#global:psresult#" />
<Parameter xsi:type="EnumParameter" name="Condition" value="Equals" />
<Parameter xsi:type="StringParameter" name="Value" value="True" />
</Condition>
<Then>
<Statement name="SendEmail" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="To" value="[email protected]" />
<Parameter xsi:type="StringParameter" name="Subject" value="Machine Encryption Alert: #vAgentConfiguration.machName#" />
<Parameter xsi:type="MultiLineStringParameter" name="Body" value="#vAgentConfiguration.machName# 

Drive has been decrypted." />
</Statement>
</Then>
<Else>
<Statement name="Execute Powershell Command (64-bit, Run As System)" continueOnFail="false">
<Parameter xsi:type="StringParameter" name="Parameter1" value="" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="If (Get-WinEvent -LogName 'Microsoft-Windows-BitLocker/BitLocker Management' | where {$_.Id -eq '773' -and $_.TimeCreated -gt (Get-Date).AddDays(-1)} | select Id,TimeCreated){$true}else{$false}" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="True" />
</Statement>
<If description="">
<Condition name="CheckVariable">
<Parameter xsi:type="StringParameter" name="VariableName" value="#global:psresult#" />
<Parameter xsi:type="EnumParameter" name="Condition" value="Equals" />
<Parameter xsi:type="StringParameter" name="Value" value="True" />
</Condition>
<Then>
<Statement name="Execute Powershell Command (64-bit, Run As System)" continueOnFail="false" osType="None">
<Parameter xsi:type="StringParameter" name="Parameter1" value="" />
<Parameter xsi:type="StringParameter" name="Parameter2" value="If (Get-WinEvent -LogName 'Microsoft-Windows-BitLocker/BitLocker Management' | where {$_.Id -eq '774' -and $_.TimeCreated -gt (Get-Date).AddDays(-1)} | select Id,TimeCreated){$true}else{$false}" />
<Parameter xsi:type="StringParameter" name="Parameter3" value="True" />
</Statement>
<Statement name="SendEmail" continueOnFail="false" osType="None">
<Parameter xsi:type="StringParameter" name="To" value="[email protected]" />
<Parameter xsi:type="StringParameter" name="Subject" value="Machine Decryption Alert: #vAgentConfiguration.machName#" />
<Parameter xsi:type="MultiLineStringParameter" name="Body" value="#vAgentConfiguration.machName# 

Encryption has been paused." />
</Statement>
</Then>
</If>
</Else>
</If>
</Else>
</If>
</Then>
</If>
</Body>
</Procedure>
</ScriptExport>