Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
BtilEntrails

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 27
Reply with quote  #1 
We have roughly 7000 laptops with Symantec PGP WDE (Whole Disk Encryption) being used by the laptops. We want to convert them to be using Bit Locker and will need to decrypt these devices before making that move.  The problem is not how to decrypt a machine at the command-line, that I know how to do. I need help with knowing when the disk is decrypted so I can send the uninstall to remove the Symantec PGP.

So this is our planned method;
When we send the command to decrypt a machine from SCCM, we will need to monitor for decrypt completion. So we will be using a SCCM compliancy check and when it detects a registry key that we will make on the machine (created when we execute the decrypt command on a target machine), we will then use the compliancy check to do and execute a script that will do the "--status" check command that Symantec has baked into the product. When the status check shows the decryption is complete, then uninstall of PGP and remove the registry key that is causing the SCCM compliancy check to execute.

So here is what I am stuck on, the command for the status check is the following and it works without issue;

"C:\Program Files (x86)\PGP Corporation\PGP Desktop\pgpwde.exe" --status --xml>>"C:\Windows\pgpStatus.xml"

PGP WDE supports the creation of a xml file.  So the output looks like the following;

When the machine is encrypted the above command produces output in xml format of;
<?xml version="1.0"?>
<pgpwde version="1.0">
  <diskstatus>
    <id>0</id>
    <instrumented>true</instrumented>
    <encryptionprocess>
      <running>false</running>
    </encryptionprocess>
    <sessionkeys>
      <currentkey valid="true" alg="9"/>
      <oldkey valid="false" alg="0"/>
    </sessionkeys>
    <volumes>
      <volume>
        <sectors total="125827072"/>
        <watermark high="125827070"/>
        <reserved start="2"/>
      </volume>
    </volumes>
    <scheme>WholeDisk</scheme>
    <auth>
      <lockout enabled="false"/>
      <failures max="0"/>
      <wdrt used="false"/>
    </auth>
  </diskstatus>
  <version>10.3.2 (Build 16620).16620</version>
  <timestamp>Wed Jun 01 11:07:56 2016</timestamp>
</pgpwde>


When the machine is sent the decrypt command and then doing a status check command the xml files shows;
<?xml version="1.0"?>
<pgpwde version="1.0">
  <diskstatus>
    <id>0</id>
    <instrumented>true</instrumented>
    <encryptionprocess>
      <running>true</running>
      <status>decrypting</status>
    </encryptionprocess>
    <sessionkeys>
      <currentkey valid="true" alg="9"/>
      <oldkey valid="false" alg="0"/>
    </sessionkeys>
    <volumes>
      <volume>
        <sectors total="125827072"/>
        <watermark low="12602365" high="125827070"/>
        <reserved start="2"/>
      </volume>
    </volumes>
    <scheme>WholeDisk</scheme>
    <auth>
      <lockout enabled="false"/>
      <failures max="0"/>
      <wdrt used="false"/>
    </auth>
  </diskstatus>
  <version>10.3.2 (Build 16620).16620</version>
  <timestamp>Wed Jun 01 13:16:24 2016</timestamp>
</pgpwde>

And when the machine is done with the decrypt and executing the status command the output is;
<?xml version="1.0"?>
<pgpwde version="1.0">
  <diskstatus>
    <id>0</id>
    <instrumented>false</instrumented>
  </diskstatus>
  <version>10.3.2 (Build 16620).16620</version>
  <timestamp>Wed Jun 01 13:42:55 2016</timestamp>
</pgpwde>

The goal is to run the status command from PowerShell and when the decrypt is complete, execute the uninstall command.  I lack the talent to make such a PowerShell script, and I know I need to learn PowerShell, but that is another issue that life has planned for me at some point.

__________________
Deep Thoughts by Jack Handey - "It takes a big man to cry, but it takes a bigger man to laugh at that man."
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #2 
This is one way to do it, assuming that this is the part that we need to look at: <instrumented>false</instrumented>

$done = ([xml] (Get-Content "C:\Windows\pgpStatus.xml")).pgpwde.diskstatus.instrumented -eq "false"

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Wobble_Wibble

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 45
Reply with quote  #3 
Batch file and info from here...
http://stackoverflow.com/questions/20861432/batch-file-to-uninstall-a-program

__________________
Press any key....
Yes, any key....
OK, try the space bar.
0
BtilEntrails

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 27
Reply with quote  #4 
Quote:
Originally Posted by wkasdo
This is one way to do it, assuming that this is the part that we need to look at: <instrumented>false</instrumented>

$done = ([xml] (Get-Content "C:\Windows\pgpStatus.xml")).pgpwde.diskstatus.instrumented -eq "false"



Thank you that was part of what I was looking for.

The local SCCM expert (the guy just kicks ass at all things and am happy he works with me) was able to find time and then make the PS scripting for me. I just wish I had time at work to learn and do what he can do. Maybe one of these days I will be able to buy out time from my life or at work to have confidence in making and using PS.



__________________
Deep Thoughts by Jack Handey - "It takes a big man to cry, but it takes a bigger man to laugh at that man."
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.