This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- Re: Drive encryption missing on systems
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-14-2015 01:24 PM
I work for a law enforcement agency and we have been instructed by the Feds we are out of compliance with drive encryption on all of our workstations. We moved to setting up BitLocker on all systems, we have some 3000 in the entire domain with about 1500 being law. Using the drive encryption report I have been tracking our numbers and reporting back to management. A co-worker ran a report directly against AD and found that his number of encrypted system was some 300 higher than LS. After some troubleshooting we found that systems were missing that field completely. So those systems are on showing up because the value for encryption is blank (not NO or YES). We ran a queue against AD and LS to attempt to find how many systems that are missing this data and come up 498. We picked a handful of systems and ran a WMI repair and the results was a third showed that status now after a rescan. The other two-thirds still are missing the data. I checked SQL and as expected there is no NULL values. On the systems which are not reporting that value we do not find any errors from LS. Ideas? When the Feds are breathing down on your city things roll downhill rather fast and right now I am the resting point.
Solved! Go to Solution.
Labels:
- Labels:
-
General Discussion
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-17-2015 10:28 AM
Not sure, but I assume menoskeym is referring to the built-in "Computer: Encryptable Volumes" report. This report lists data pulled from the Win32_EncryptableVolume WMI (Windows Management Instrumentation) class. This class should exist in Windows Vista and higher and Windows 2008 and higher. If it returns incorrect data for some reason however, there is not much we can do about this. You can query Win32_EncryptableVolume in the Root\CIMV2\Security\MicrosoftVolumeEncryption namespace directly to see what it stores.
Keep in mind that:
A sample encryptable volumes report that also includes machines for which no encryption data was detected can be seen below. The encryption status of machines for which no data was detected will be marked as "unknown". I included machines that have not been successfully scanned, but excluded XP and other operating systems that don't support BitLocker anyway.
Keep in mind that:
- Data scanned by Lansweeper may not match what is stored in WMI unless your machines have recently and successfully been rescanned.
- Most scanning methods respect item wait times and will only rescan BitLocker information once every 24 hours by default. You can adjust your wait times or use one of the Rescan buttons to trigger an immediate scan.
A sample encryptable volumes report that also includes machines for which no encryption data was detected can be seen below. The encryption status of machines for which no data was detected will be marked as "unknown". I included machines that have not been successfully scanned, but excluded XP and other operating systems that don't support BitLocker anyway.
Select Top 1000000 Coalesce(tsysOS.Image, 'notscanned.png') As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.Firstseen,
tblAssets.Lastseen,
SubQuery1.Lasttime As LastEncryptionScan,
tblEncryptableVolume.DriveLetter,
Case When tblAssets.AssetID Not In (Select tblEncryptableVolume.AssetId
From tblEncryptableVolume) Then 'unknown'
When tblEncryptableVolume.ProtectionStatus = 0 Then 'OFF'
When tblEncryptableVolume.ProtectionStatus = 1 Then 'ON' Else 'UNKNOWN'
End As ProtectionStatus,
tblEncryptableVolume.LastChanged
From tblEncryptableVolume
Right Join tblAssets On tblEncryptableVolume.AssetId = tblAssets.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 TsysLastscan.AssetID,
TsysLastscan.Lasttime
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Where TsysWaittime.CFGname = 'encryptablevolume') SubQuery1
On SubQuery1.AssetID = tblAssets.AssetID
Where tblAssets.AssetID Not In (Select tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where (tsysOS.OSname Like '%2000%') Or
(tsysOS.OSname Like '%2003%') Or
(tsysOS.OSname Like '%xp%')) And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName,
tblEncryptableVolume.DriveLetter
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-17-2015 10:28 AM
Not sure, but I assume menoskeym is referring to the built-in "Computer: Encryptable Volumes" report. This report lists data pulled from the Win32_EncryptableVolume WMI (Windows Management Instrumentation) class. This class should exist in Windows Vista and higher and Windows 2008 and higher. If it returns incorrect data for some reason however, there is not much we can do about this. You can query Win32_EncryptableVolume in the Root\CIMV2\Security\MicrosoftVolumeEncryption namespace directly to see what it stores.
Keep in mind that:
A sample encryptable volumes report that also includes machines for which no encryption data was detected can be seen below. The encryption status of machines for which no data was detected will be marked as "unknown". I included machines that have not been successfully scanned, but excluded XP and other operating systems that don't support BitLocker anyway.
Keep in mind that:
- Data scanned by Lansweeper may not match what is stored in WMI unless your machines have recently and successfully been rescanned.
- Most scanning methods respect item wait times and will only rescan BitLocker information once every 24 hours by default. You can adjust your wait times or use one of the Rescan buttons to trigger an immediate scan.
A sample encryptable volumes report that also includes machines for which no encryption data was detected can be seen below. The encryption status of machines for which no data was detected will be marked as "unknown". I included machines that have not been successfully scanned, but excluded XP and other operating systems that don't support BitLocker anyway.
Select Top 1000000 Coalesce(tsysOS.Image, 'notscanned.png') As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.Firstseen,
tblAssets.Lastseen,
SubQuery1.Lasttime As LastEncryptionScan,
tblEncryptableVolume.DriveLetter,
Case When tblAssets.AssetID Not In (Select tblEncryptableVolume.AssetId
From tblEncryptableVolume) Then 'unknown'
When tblEncryptableVolume.ProtectionStatus = 0 Then 'OFF'
When tblEncryptableVolume.ProtectionStatus = 1 Then 'ON' Else 'UNKNOWN'
End As ProtectionStatus,
tblEncryptableVolume.LastChanged
From tblEncryptableVolume
Right Join tblAssets On tblEncryptableVolume.AssetId = tblAssets.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 TsysLastscan.AssetID,
TsysLastscan.Lasttime
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Where TsysWaittime.CFGname = 'encryptablevolume') SubQuery1
On SubQuery1.AssetID = tblAssets.AssetID
Where tblAssets.AssetID Not In (Select tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where (tsysOS.OSname Like '%2000%') Or
(tsysOS.OSname Like '%2003%') Or
(tsysOS.OSname Like '%xp%')) And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName,
tblEncryptableVolume.DriveLetter
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-15-2015 02:46 PM
Hey,
I'm the creator of the report I think you are talking about. The report was originally written for our environment and we have to look for more encryption methods than just BitLocker. So you need it only look for Bitlocker and include the false positives that may not show the flag for encryption (IE Null Value)?
Thank you,
Jeffrey
I'm the creator of the report I think you are talking about. The report was originally written for our environment and we have to look for more encryption methods than just BitLocker. So you need it only look for Bitlocker and include the false positives that may not show the flag for encryption (IE Null Value)?
Thank you,
Jeffrey
Thank you,
Jeffrey Smith
Enterprise Applications Security
(319) 499-6310
JefSmith@geico.com
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Built-in Bitlocker Report Accuracy in Reports & Analytics
- LSAgent & Lansweeper Cloud in Product Discussions
- Truth or Dare - share your Custom Fields for Lansweeper Classic in General Discussions
- EMR software: eClinicalWorks - Reports and Deployments for managing your EMR in Reports & Analytics
- New preview capability - Track your hard-to-reach assets using IT Agent, the future of LsAgent in Product Discussions
