Skip to content Skip to site navigation Skip to service navigation

What can an IT professional do if a user's device is not compliant?

Sometimes users do everything they are supposed to do and a device is still listed as not compliant in MyDevices. If BigFix is installed but:

... the Windows 10 computer's MyDevices Encryption Status reports the device is not encrypted, there might be a problem with the VBScript that generates information locally on the Windows client for BigFix collection and reporting to MyDevices.

An end user or IT support person will have to take these steps:

Create a Scheduled Task to regularly run a script that updates the bitlockerinfo.txt file

Set up corrective bitlockerinfo.txt-updater script to run on a schedule. Batch script calls PowerShell script to address bug where a Bitlocker encryption status text file on rare occasion contains no field values. This state causes MyDevices to consider the computer non-compliant when it in fact may be BitLocker enabled and compliant. The schedule task manages this autonomously; but with the aid of a run-as-admin-shortcut to the "run-get-bitlockerinfo-ps.bat" batch script, a user can run the fix at will as necessary (this may require 8 hours for the fix to be recognized and reported to MyDevices).

Summary

The key components to this regularly scheduled fix-it batch script solution are:

  1. get-bitlockerinfo.ps1 -- this PowerShell script sets the contents of the "C:\Program Files (x86)\BigFix Enterprise\BES Client\BitLocker\bitlockerinfo.txt" file with data to be collected by BigFix regarding BitLocker encryption status
  2. run-get-bitlockerinfo-ps.bat -- this batch script calls the above PowerShell script; it is the target of the Microsoft Windows Task Scheduler task created either automatically or manually per below, and can optionally be run as administrator directly or via shortcut on demand

Automated Instructions for creating the Scheduled Task:

  1. Download the "bitlockerinfo-fix-files" folder and the "create-bitlockerinfo-fix-scheduled-task-#_#.bat" file locally by extracting them from this zip file ; ensure both the folder and the file remain adjacent to each other
  2. Run the "create-bitlockerinfo-fix-scheduled-task-#_#.bat" file as a local computer administrator
  3. Confirm the "Stanford - Daily Encryption Status Update #_#" task has been created, scheduled to run hourly -- this can be adjusted to run less frequently per user preference

NOTE: When invoked by the scheduled task, the regularly scheduled batch script will flash a Command Prompt window visible to the user. This flash of a window immediately minimizes to the taskbar, then automatically terminates after approximately two seconds. Those two seconds are enough time to maximize the window and view the message indicating what is happening.

Troubleshooting

See "C:\ProgramData\Stanford\Logs\StanfordScheduledTask-BitlockerTxt.log" for clues on issues you might experience running the "create-bitlockerinfo-fix-scheduled-task-#_#.bat" batch script that automates the scheduled task creation.

Manual Instructions for creating the Schedule Task:

  1. Download the "bitlockerinfo-fix-files" folder
  2. Create a "C:\ProgramData\Stanford" folder, if it does not already exist; however, if this does not already exist, something else might be amiss (perhaps the BigFix client itself is problematic)
  3. Move contents of the "bitlockerinfo-fix-files" folder to "C:\ProgramData\Stanford"
  4. Open Task Scheduler
  5. Right-click Task Scheduler Library > Import Task... and target the "Stanford_RoutineEncryptionStatusUpdater_1_1.xml_#_#.xml" for import
  6. Click Open
  7. All settings should be in place (but you can change the schedule at this time per user preference via Triggers tab > Daily trigger selection > Edit... > setting the new time > click OK)
  8. Click OK

NOTE: See note above about the flash of a command prompt window visible each time the scheduled task executes.

When properly set, the "C:\Program Files (x86)\BigFix Enterprise\BES Client\BitLocker\bitlockerinfo.txt" file contents of a fully encrypted Microsoft Windows BitLocker client look like this:

|~|OSDrive::C:|~|CipherStrength::Aes128|~|ProtectionStatus::On|~|EncryptionStatus::FullyEncrypted|~|PercentageEncrypted::100|~|Unlocked|~|WipingStatus::0|~|UnlockMethod::Password|~|RecoveryMethod::RecoveryPassword|~|

... the Management System Information in MyDevices is missing, incorrect, or out-of-date (see the "Last Check-in Time"), there might be a problem with BigFix.

A BigFix administrator will have to take the first two steps, an end user or an IT support person the third:

  1. Try a BigFix console refresh.
  2. Deploy a BigFix action, "[STANFORD] Troubleshooting: Client Forced Refresh", to force a client refresh.
  3. Completely remove and reinstall the BigFix client on the endpoint.

To completely remove BigFix on Windows, first look in the Programs and Features control panel. If you see "IBM BigFix Client (Stanford)", you can uninstall the client using the control panel. Note that the version of the BigFix installer that provides this functionality first became available in December 2016, so this option won't be available in many cases.

If you do not see "(Stanford)" appended to the program name in the Programs and Features control panel, in order to completely remove the client you must use the appropriate version of this utility (generally the most recent):

www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/BES%20Remove%20Utility

To completely remove BigFix on Mac OS, use the BigFix uninstaller script included with the BigFix installer disk image on Essential Stanford Software.

Sometimes the removal and reinstallation steps need to be repeated once or twice. If all else fails and the system will have no access to High Risk Data, try VLRE. Otherwise it might be necessary to rebuild the system.

Last modified February 22, 2022