I use a report that works quite well to show machines where Bitlocker protection is off. I am trying to figure out how to add a condition to it though, we get a lot of false positives where the report shows protection is disabled, but once we get to it, it's back on. I'd like to add the condition that it must be seen OFF 2 or more times or for 2 days in a row before it's added to the report.
Here's the report as it stands now:
Select Top 1000000 tsysAssetTypes.AssetTypeIcon16 As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblEncryptableVolume.DriveLetter,
Case
When tblEncryptableVolume.ProtectionStatus = 0 Then 'OFF'
When tblEncryptableVolume.ProtectionStatus = 1 Then 'ON'
Else 'UNKNOWN'
End As ProtectionStatus,
tblEncryptableVolume.LastChanged,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Description,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblAssetCustom.Location,
tsysIPLocations.IPLocation,
tsysOS.OSname As OS,
tblAssets.SP As SP,
tblAssets.Firstseen,
tblAssets.Lastseen
From tblEncryptableVolume
Inner Join tblAssets On tblEncryptableVolume.AssetId = tblAssets.AssetID
Inner Join tsysAssetTypes On tblAssets.Assettype = tsysAssetTypes.AssetType
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join tsysIPLocations On tblAssets.LocationID = tsysIPLocations.LocationID
Where tblAssets.AssetName Not Like '%iland%' And
tblEncryptableVolume.DriveLetter = 'C:' And tblAssets.Domain = 'xxxxx' And
tsysOS.OSname = 'Win 10' And tblAssets.Lastseen > GetDate() - 10 And
tblEncryptableVolume.ProtectionStatus = 0
Order By tblAssets.AssetName