BitLocker Sub Collector Questions

[Sixty502]

Problem Statement

I have been looking at the BitLocker collector recently and had a few questions.

Can the sample config.yaml under tools and the example_config.yml under docs be updated to include the syntax for using the BitLocker collector? Searching online, I found a few examples that didn't work, but the one below does. Both metrics and bitlocker_status can be in single quotes, double quotes, or no quotes and it still works.

collector:
logical_disk:
enabled:
- metrics
- bitlocker_status

When I look in a browser at what is being published by the exporter, I don't see any results for the OS drive or the root of a drive with mount points. No C:\ or D:\ even though D:\MOUNT1, D:\MOUNT2, etc. do show up. C: and D: do show up when using get-bitlockervolume, they have a VolumeStatus of FullyEncrypted, and Protection Status of On. The Get-WmiObject command from another thread (Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption" -Class "Win32_EncryptableVolume") returns C:\ and D:\ and other windows_logical_disk counters, like windows_logical_disk_free_bytes, include C:, D:, .... Am I missing something in my config?

The metrics coming back under windows_logical_disk_bitlocker_status (decrypting, disabled, encrypting, locked, off, on, suspended, unknown, waiting_for_activation) only have a 1 by disabled even though get-bitlockervolume shows them all FullyEncrypted with a Protection Status of On.

Thanks

Environment

• windows_exporter Version:
• Windows Server Version:

[Sixty502]

Looking in the event log, I see messages for both C: and D:.

source=logical_disk.go:521 msg="failed to get BitLocker status for C:" collector=logical_disk err="GetProperty failed: GetProperty failed: The operation completed successfully."

source=logical_disk.go:521 msg="failed to get BitLocker status for D:" collector=logical_disk err="GetProperty failed: GetProperty failed: The operation completed successfully."

Every message I've seen has two 'GetProperty failed:' messages followed by 'The operation completed successfully.'

[jkroepke]

Sound like an bug on the error message. Do you run the collector as an admin

[Sixty502]

It is running as the Local System account. The error message is only for C: and D: and not for the mount points. The mount points show up in the metrics published, but C: and D: do not. Are you thinking a bug in the error message is causing C: and D: to error?

[jkroepke]

Whats the Windows Bitlocker Status for C: and D:?

[Sixty502]

FullyEncrypted 100%

[AlbanMGit]

Hi, we have same issue/same behavior :(

[Dominik-esb]

I may have found the issue:

SHCreateItemFromParsingName requires a trailing \ for drive roots. Without it, Windows Shell API fails with the misleading "GetProperty failed: The operation completed successfully" error.

The answer is in the Microsoft Naming Files, Paths, and Namespaces docs. From the "Fully Qualified vs. Relative Paths" section:

"If a file name begins with only a disk designator but not the backslash after the colon, it is interpreted as a relative path to the current directory on the drive with the specified letter."

System.Volume.BitLockerProtection is a volume property. Windows only populates it when the Shell item represents a volume root (C:\). When given C:, the Shell resolves it to the current working directory (e.g. C:\Windows\System32), which is just a folder — so GetProperty returns no value and v.Val is 0, which maps to index 0 in the status slice → wrongly reported as disabled.

The same applies to mount points: D:\MOUNT1 resolves as a directory entry, but D:\MOUNT1\ is identified as a volume root by the Shell, so the property is populated correctly.


I didn't had time to test this until now
I'll check if I can provide a PR for this. But I would need someone to test this.

[Sixty502]

I can test it.