SCCM–How to Report on Safeboot / McAfee Endpoint Encryption
I posted this on the myITForum SMS mailing list and thought it might be helpful. A question was asked about reporting on systems using Safeboot and verifying their encryption state – this was my answer:
Here you go Suzzi (we use the same product). I’d recommend using your own naming conventions for the class but the meat of it is there. And yes, Inventory Manager helps a lot with this kind of stuff. It only gives us the lock state (yes it’s encrypted or no it’s not) but you could add more reg keys as needed. Also attached is a SQL query you could use to report on Safeboot (Endpoint Protection) in your enterprise (changing the name of the view that your MOF edit creates for Safeboot). It takes into account the name change from Safeboot to McAfee Endpoint Protection. The reg keys did NOT appear to change (thankfully). As always…test, test, test J
-Casey
SMS_DEF.mof edit:
//==================================================================
// REPORT : Win32Reg_IM_SafeBoot_Encryption_State
//==================================================================
#pragma deleteclass("Win32Reg_IM_SafeBoot_Encryption_State",NOFAIL)
[SMS_Report(TRUE), SMS_Group_Name("SPS SafeBoot Encryption State"), SMS_Class_ID("INVENTORYMANAGER|SafeBoot_Encryption_State|1.0")]
class Win32Reg_IM_SafeBoot_Encryption_State : SMS_Class_Template
{
[SMS_Report(TRUE), key] string InstanceKey;
[SMS_Report(TRUE)] uint32 LockState;
};
Configuration.mof edit:
//==================================================================
// Register : Win32Reg_IM_SafeBoot_Encryption_State
//==================================================================
#pragma namespace("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_IM_SafeBoot_Encryption_State",NOFAIL)
[DYNPROPS]
Class Win32Reg_IM_SafeBoot_Encryption_State
{
[key] string InstanceKey;
uint32 LockState;
};
[DYNPROPS]
instance of Win32Reg_IM_SafeBoot_Encryption_State
{
InstanceKey = "KeyName";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SbFsLock|LockState"),
Dynamic, Provider("RegPropProv")] LockState;
};
SQL Query for Reporting:
SELECT DISTINCT
a.ResourceID, a.Name0, a.Resource_Domain_OR_Workgr0, a.User_Name0, a.Manufacturer0, a.Model0, a.LastScanDate, a.LastHWScan, a.SafeBootInstalled,
CASE WHEN SafeBootInstalled = 'YES' THEN sp.ProductVersion WHEN SafeBootInstalled = 'NO' THEN 'N/A' END AS 'SafeBootVersion',
CASE WHEN LockState0 = 0 THEN 'NO' WHEN LockState0 <> 0 THEN 'YES' ELSE 'Not Found' END AS 'IsEncrypted'
FROM (SELECT DISTINCT s.ResourceID, s.Name0, s.Resource_Domain_OR_Workgr0, s.User_Name0, comp.Manufacturer0, comp.Model0, sw.LastScanDate, hw.LastHWScan, 'YES' AS SafeBootInstalled
FROM v_R_System AS s INNER JOIN
--v_GS_BATTERY AS b ON s.ResourceID = b.ResourceID INNER JOIN
v_GS_SoftwareProduct AS sp ON s.ResourceID = sp.ResourceID INNER JOIN
v_GS_LastSoftwareScan AS sw ON s.ResourceID = sw.ResourceID INNER JOIN
v_GS_WORKSTATION_STATUS AS hw ON s.ResourceID = hw.ResourceID INNER JOIN
v_GS_COMPUTER_SYSTEM AS comp on s.ResourceID = comp.ResourceID
WHERE
--(b.Availability0 IS NOT NULL) AND
(sp.ProductName LIKE 'SafeBoot%' or sp.ProductName LIKE 'McAfee Endpoint%')
UNION
SELECT DISTINCT s.ResourceID, s.Name0, s.Resource_Domain_OR_Workgr0, s.User_Name0, comp.Manufacturer0, comp.Model0, sw.LastScanDate, hw.LastHWScan, 'NO' AS SafeBootInstalled
FROM v_R_System AS s INNER JOIN
--v_GS_BATTERY AS b ON s.ResourceID = b.ResourceID INNER JOIN
v_GS_LastSoftwareScan AS sw ON s.ResourceID = sw.ResourceID INNER JOIN
v_GS_WORKSTATION_STATUS AS hw ON s.ResourceID = hw.ResourceID INNER JOIN
v_GS_COMPUTER_SYSTEM AS comp on s.ResourceID = comp.ResourceID
WHERE
--(b.Availability0 IS NOT NULL) AND
(NOT EXISTS
(SELECT DISTINCT s1.Name0
FROM v_R_System AS s1 INNER JOIN
--v_GS_BATTERY AS b ON s1.ResourceID = b.ResourceID INNER JOIN
v_GS_SoftwareProduct AS sp ON s.ResourceID = sp.ResourceID
WHERE
--(b.Availability0 IS NOT NULL) AND
(sp.ProductName LIKE 'SafeBoot%' or sp.ProductName LIKE 'McAfee Endpoint%') AND (s1.Name0 = s.Name0)))) AS a LEFT OUTER JOIN
v_GS_SoftwareProduct AS sp ON sp.ResourceID = a.ResourceID AND (sp.ProductName LIKE 'SafeBoot%' or sp.ProductName LIKE 'McAfee Endpoint%') LEFT OUTER JOIN
v_GS_SPS_SafeBoot_Encrypti0 AS e ON e.ResourceID = sp.ResourceID