(imported comment written by NoahSalzman)
I may have led you astray a little, sorry.
Your script currently checks that
any
drive, that is not system or Q:, is encrypted. You want
all
, of course.
So, you have entry checks at the start (which I’ll ignore in the example below) to make sure we have drives that are not Q and not system. Given that, here is what the desired structure of your script should look like when we are done:
IF
Entry checks are true
THEN
IF
Is it true that ALL the drives I’m interested in are encrypted?
THEN
"Yes, they are ALL encrypted"
ELSE
"NA – I checked, and at least one of them was not encrypted"
ELSE
“NA – The entry checks showed that there were no drives to check”
The part in bold currently is this:
if ( exists ( select objects
"ProtectionStatus, DriveLetter from Win32_EncryptableVolume" of wmi
"root\CIMv2\Security\MicrosoftVolumeEncryption" ) whose ( ( integer value of property
"ProtectionStatus" of it = 1 AND set of ( names of drives whose ( name of it != name of drive of system folder AND name of it !=
"Q:" AND type of it =
"DRIVE_FIXED" ) ) contains ( string value of property
"DriveLetter" of it ) ) ) ) then
"All Fixed Drives BitLocker Encrypted" ELSE
"N/A"
Basically: give me a list of drives from WMI, check them one by one (iterate) against the list of all drives that are not Q and not system. The “whose” will return true if any of the items from the WMI query match.
What we really want is:
-
Create a set of drives from WMI that have (“ProtectionStatus” of it = 1)
-
Subtract Q and the system drive from that set
-
If our result is 0 after that subtraction then all of the drives we are interested in are encrypted (or are system or Q)
The basic idea is this, if your list of unencrypted drives were A, C, and Q:
Q: number of elements of (set of (“A:”;“C:”;“Q:”) - set of (“Q:”; name of drive of system folder))
A: 1
I don’t have bitlocker turned on, so I can’t test this properly. The first thing to do is get our list of unencrypted drives, I’m hoping that this is what we need:
string value of property “DriveLetter” of (select objects “ProtectionStatus, DriveLetter from Win32_EncryptableVolume” whose (integer value of property “ProtectionStatus” of it = 1 ) of wmi “root\CIMv2\Security\MicrosoftVolumeEncryption”)
If you get a list of drives from this relevance then you know you have unencrypted drives that are not Q or system:
set of (string value of property “DriveLetter” of (select objects “ProtectionStatus, DriveLetter from Win32_EncryptableVolume” whose (integer value of property “ProtectionStatus” of it = 1 ) of wmi “root\CIMv2\Security\MicrosoftVolumeEncryption”)) - set of (“Q:”; name of drive of system folder)
Putting it all together:
if ( name of operating system does not contain
"Win" ) then
"Non Windows" ELSE
if ( name of operating system =
"Win7" ) AND exists service
"BDESVC" whose ( state of it =
"Running" ) AND exists ( names of drives whose ( name of it !=
"Q:" AND name of it != name of drive of system folder AND type of it =
"DRIVE_FIXED" ) ) AND ( exists wmi
"root\CIMv2\Security\MicrosoftVolumeEncryption" ) then ( (
if ( exists ( select objects
"ProtectionStatus, DriveLetter from Win32_EncryptableVolume" of wmi
"root\CIMv2\Security\MicrosoftVolumeEncryption" ) and not ( number of elements of ( set of ( string value of property
"DriveLetter" of ( select objects
"ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose ( integer value of property
"ProtectionStatus" of it = 1 ) of wmi
"root\CIMv2\Security\MicrosoftVolumeEncryption" ) ) - set of (
"Q:"; name of drive of system folder ) ) > 0 ) ) then
"All Fixed Drives BitLocker Encrypted" ELSE
"N/A" ) as string )
else
"N/A"
Same thing with indentation removed for your convenience:
if (name of operating system does not contain
"Win") then
"Non Windows" ELSE
if (name of operating system =
"Win7") AND exists service
"BDESVC" whose (state of it =
"Running") AND exists (names of drives whose (name of it !=
"Q:" AND name of it != name of drive of system folder AND type of it =
"DRIVE_FIXED")) AND (exists wmi
"root\CIMv2\Security\MicrosoftVolumeEncryption") then ((
if (exists (select objects
"ProtectionStatus, DriveLetter from Win32_EncryptableVolume" of wmi
"root\CIMv2\Security\MicrosoftVolumeEncryption") and not (number of elements of (set of (string value of property
"DriveLetter" of (select objects
"ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose (integer value of property
"ProtectionStatus" of it = 1) of wmi
"root\CIMv2\Security\MicrosoftVolumeEncryption")) - set of (
"Q:"; name of drive of system folder)) > 0)) then
"All Fixed Drives BitLocker Encrypted" ELSE
"N/A") as string)
else
"N/A"
EDIT: Forgot to add the “not” in front of the element count, just fixed that.