I have been asked by a customer, how he is able to see, how many machines are encrypted or not. Currently ZENworks Full Disk Encryption does offer this information through Audit Events. Depending your Audit configuration, the events would purged after a certain time and aren't available any more. ZENworks Reporting Server is able to store them, but did you import the events?
This article describes, how to get the actual status from the encryption during Windows Login, save it as a registry key and use ZENworks ADF fields to visualize them with the ZENworks Reporting Server.
ZENworks is able to report on Success of the delivery of the Policy Assignment, but is the disc “really” encrypted? The customer was uncertain.
Looking into the product documentation I found following statement:
Component status FDE command: Open a command prompt on the device and change the
directory (cd) to %ZENWORKS_HOME%\esm.
From this directory type zescommand.exe/componentStatus FDE
. Volume(s) encrypted: If the return value is negative, then a policy is enforced
with encryption in place.
- No policy or encryption: If the return value is positive,
there is no Disk Encryption policy in place or initialized.
Well, this gives me the safety, that the encryption policy has been enfored successfully at the client.
Inspired by Turbo.Script scripts, I checked, what is possible with the Commandline and created following script
"%zenworks_home%\esm\ZESCommand.exe" /componentStatus fde >c:\fdestatus.txt
set /p fde=<fdestatus.txt
if %str%==- (set fde=On) else (set fde=Off)
reg add HKEY_LOCAL_MACHINE\SOFTWARE\SECUDE\SNB\fde\ /v Status /d �e% /f
Basically, zescommand.exe writes the status into a file, the script adds it as an environment variable and then cuts the content only to have a “-“ or nothing. Based on the result, I write a Registry Key into the FDE tree, adding FDE is “On” or “Off”.
To automate the delivery of the script, you create a new windows bundle within ZENworks, where as an install action (Figure 2), you copy the file to root of “C:”
Configure the bundle to be launched during the login of the user (Figure 3) …
… and run it for all users (Figure 4)
Now you need to pick up the information, for future use in ZENworks Reporting Server. Here the “Collection Form” comes into the game. Additionally, the registry offers various useful information about FDE. Therefor I activate following ADF workstations fields.
(Note down the internal names, we need it later.)
In ZENworks Control Center I go to Configuration, then on the “Asset Configuration” Breath Crumb.
In the “Administrator-Defined Fields”, you will add new fields for the Workstation (Figure 5)
The configuration requires these 4 new fields, just create them by clicking on “New” (Figure 6)
A look into the FDE folder shows me the key “Status” and the actual FDE API Version. Both, we want to import, for using in the reports.
Additionally, when an encryption happened, a new folder, called “EncryptionProgress”, in HKEY_LOCAL_MACHINE\SOFTWARE\SECUDE\SNB\fde\, is created.
From these folder, I’ll take
|DriveInProgress||drive actually encrypting and last drive, which was encrypted|
|ProgressPercent||Percentage of encryption. 100% means fully encrypted|
Now reopen ZENworks Control Center and click on Configuration – Inventory – Collection Data Form. You can see the new fields you created and you need to configure the registry values, that should be read by the form (Figure 9).
Click all of the “No” and enter for each field following value:
|FDE Last Encrypted Drive||HKLM\SOFTWARE\SECUDE\SNB\FDE\EncryptionProgress\DriveInProgress|
|For FDE Progress Percentage||HKLM\SOFTWARE\SECUDE\SNB\FDE\EncryptionProgress\ProgressPercent|
Then you need to activate the scan for the registry keys in the inventory schedule, by activating the “Launch Collection Data Form”. Therefor you enable the “Launch Collection Data Form” for all scan type (Figure 10), you want to have included.
Note: Feedback from the form could take some time, based on your inventory schedule
Opening an inventory from a workstation should have, under “Other Informations” following informations.
You need to logon into the ZENworks Reporting Server as admin or a similar user and click on “Ad-hoc Views” (Figure 12). The first AD-Hoc View is a listing of workstations, that have FDE enabled or not. Also íf you want to have some additional information, like Workstation name, User name, FDE API version and so on, click on "Create".
In this case you’ll take the ZENworks Domain (Figure 13). Here you find data related to the workstation inventory and ADF fields.
Now add “General Device Attributes”, “General Device Status” and “Inventory Administrator Defined Fields” to the "Selected Fields"
Following fields (Figure 15) are sufficient for the first report, I added the Windows Domain, while if I have different LDAP directories in my ZENworks system.
Right Click on following fields in the left pane, together with the following filters (Figure 17), you are able to only see the Windows Managed Machines.
You may search for the fields names on the left pane directly, then use the Search (Figure 16).
By right clicking on a label, you rename the ADF fields to the appropriate name, e.g. “ADF2” to “FDE”
Same for the header
Your first Ad Hoc View is ready. Change to view mode (blue eye) and check the listing
The workstation “win10-sb28” has the FDE client enabled, API version 15.1.943.6, but FDE isn’t enabled. No policy maybe has received by the workstation, while “%” and “Last Drive” are empty. Last Inventory Scan happened September 18th 2020.
This workstation is decrypted, while FDE is “Off”. It had encryption enabled, while “%” and “Last Drive” are having values. Last Inventory Scan Date was September 25th 2020.
This workstation may have 3 drives fully (100) encrypted, last drive is E: and API is also 15.1.943.6. Last Inventory Scan happened September 25th 2020.
The second Ad-Hoc Report will be a pie-chart, that shows me the enabled or not enabled workstations.
So you create a new Ad-Hoc Views. It is also the ZENworks Domain, as a Source Inventory you need “General Device Status” and “Inventory Administrator Defined Fields”.
In the “New Ad-Hoc View” Window you choose “Chart”
From the Inventory on the left side, you drag the “Workstations ADF2” field to Rows and from Measures in the lower left side and drag “Managed Device Count” to Columns.
Now you click on the configuration button (gray gears) , then click on “Chart Type” and select the "Pie symbol".
Similar to last AD-Hoc View, you create the filter for the “Workstation ADF2” field.
In the “Filters”, “Data Level” slide the Rows, on the upper right corner, to the right.
Now you see a pie chart, which needs some formatting.
Again, you click on the configuration button but select “Chart Format” and click on the “Advance” tab.
There you add your favorite colors. Keep in mind, to click on the “Green Accept” and then “Apply” and “OK”.
The final result, with title added, should look like this pie chart (Figure 31).
Still we want to make it more productive and enable Technicians or Users to check the status of encryption. Therefor I combine the Table with Chart and make it available
To create the dashboard, you open the ZRS overview and click on “Create” from “Dashboards”
Drag the “Workstation List” content onto the canvas and same for the “FDE Overview”
In Ribbon select the “Show parameter mapping dialog” (Figure 34).
And select following configuration
Save the Dashboard as “FDE Dashboard”
By click on one of the slices, the list in the left window changes
Back in the overview, click on the View list of the Dashboards
You see the lists of Dashboards. Right click on “FDE Dashboard” and choose “Permissons”
Add the groups, that need access to the Dashboard.
By including the “?decorate=no” into the URL, it can be made available, without having the common start page, like:
The full example: