My company regularly checks for deltas in our laptop environment to see what is encrypted and what might have been missed (or what might have been rebuilt by a "power user" who neglected to load EECP). There are a couple of ways to accomplish this:
SBADMCL GetLastCheckinDate; check that the last checkin is recent and the status is "installed"
Inventory scan (using a third-party tool) which checks for the presence of the SafeBoot program files and registry entry running the client manager
I would like to come up with a third option for those machines that are - for any number of reasons - difficult to confirm are encrypted (for example, Deleted Machines that were not named properly to begin with and which wouldn't show up in a GetLastCheckinDate report and therefore cannot confirm the crypt state of). Some of the things I'd thought of:
Use SBADMCL and AutoIt to compile a script that could write a TXT file or registry entry confirming the crypt state, which could then be read by the Inventory Scanner
Use SBADMCL and AutoIt to somehow remotely query the crypt state of a machine
The second option is the one I'm really interested in, but SBADMCL doesn't offer much in the way of remote querying of machines - much of the querying runs off of database info. Has anyone come up with anything similar, or does anyone know if there are plans to build something similar into future releases of the scripting tool? I know that this functionality could be greatly limited by the available TCP ports...
The getCryptState command runs locally and does not query the database, so you can use that to get what you need. To run it remotely, you can use any of the normal tools that an enterprise might use (SMS, SCCM, Altiris, ZenWorks, Login Scripts, GPOs, etc) or you can use a tool like PSEXEC from SysInternals/Microsoft if you know the machines you want to target.
If I have some free time later today, I'll write-up and post a GetCryptState example. Once you have the machine running your AutoIt script, it'd be easy to do with the results as you wish - write them out to a text file, registry key, http post, whatever.