cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
menoskeym
Engaged Sweeper
I work for a law enforcement agency and we have been instructed by the Feds we are out of compliance with drive encryption on all of our workstations. We moved to setting up BitLocker on all systems, we have some 3000 in the entire domain with about 1500 being law. Using the drive encryption report I have been tracking our numbers and reporting back to management. A co-worker ran a report directly against AD and found that his number of encrypted system was some 300 higher than LS. After some troubleshooting we found that systems were missing that field completely. So those systems are on showing up because the value for encryption is blank (not NO or YES). We ran a queue against AD and LS to attempt to find how many systems that are missing this data and come up 498. We picked a handful of systems and ran a WMI repair and the results was a third showed that status now after a rescan. The other two-thirds still are missing the data. I checked SQL and as expected there is no NULL values. On the systems which are not reporting that value we do not find any errors from LS. Ideas? When the Feds are breathing down on your city things roll downhill rather fast and right now I am the resting point.
1 ACCEPTED SOLUTION
Susan_A
Lansweeper Alumni
Not sure, but I assume menoskeym is referring to the built-in "Computer: Encryptable Volumes" report. This report lists data pulled from the Win32_EncryptableVolume WMI (Windows Management Instrumentation) class. This class should exist in Windows Vista and higher and Windows 2008 and higher. If it returns incorrect data for some reason however, there is not much we can do about this. You can query Win32_EncryptableVolume in the Root\CIMV2\Security\MicrosoftVolumeEncryption namespace directly to see what it stores.

Keep in mind that:
  • Data scanned by Lansweeper may not match what is stored in WMI unless your machines have recently and successfully been rescanned.
  • Most scanning methods respect item wait times and will only rescan BitLocker information once every 24 hours by default. You can adjust your wait times or use one of the Rescan buttons to trigger an immediate scan.

A sample encryptable volumes report that also includes machines for which no encryption data was detected can be seen below. The encryption status of machines for which no data was detected will be marked as "unknown". I included machines that have not been successfully scanned, but excluded XP and other operating systems that don't support BitLocker anyway.
Select Top 1000000 Coalesce(tsysOS.Image, 'notscanned.png') As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.Firstseen,
tblAssets.Lastseen,
SubQuery1.Lasttime As LastEncryptionScan,
tblEncryptableVolume.DriveLetter,
Case When tblAssets.AssetID Not In (Select tblEncryptableVolume.AssetId
From tblEncryptableVolume) Then 'unknown'
When tblEncryptableVolume.ProtectionStatus = 0 Then 'OFF'
When tblEncryptableVolume.ProtectionStatus = 1 Then 'ON' Else 'UNKNOWN'
End As ProtectionStatus,
tblEncryptableVolume.LastChanged
From tblEncryptableVolume
Right Join tblAssets On tblEncryptableVolume.AssetId = tblAssets.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 TsysLastscan.AssetID,
TsysLastscan.Lasttime
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Where TsysWaittime.CFGname = 'encryptablevolume') SubQuery1
On SubQuery1.AssetID = tblAssets.AssetID
Where tblAssets.AssetID Not In (Select tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where (tsysOS.OSname Like '%2000%') Or
(tsysOS.OSname Like '%2003%') Or
(tsysOS.OSname Like '%xp%')) And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName,
tblEncryptableVolume.DriveLetter

View solution in original post

2 REPLIES 2
Susan_A
Lansweeper Alumni
Not sure, but I assume menoskeym is referring to the built-in "Computer: Encryptable Volumes" report. This report lists data pulled from the Win32_EncryptableVolume WMI (Windows Management Instrumentation) class. This class should exist in Windows Vista and higher and Windows 2008 and higher. If it returns incorrect data for some reason however, there is not much we can do about this. You can query Win32_EncryptableVolume in the Root\CIMV2\Security\MicrosoftVolumeEncryption namespace directly to see what it stores.

Keep in mind that:
  • Data scanned by Lansweeper may not match what is stored in WMI unless your machines have recently and successfully been rescanned.
  • Most scanning methods respect item wait times and will only rescan BitLocker information once every 24 hours by default. You can adjust your wait times or use one of the Rescan buttons to trigger an immediate scan.

A sample encryptable volumes report that also includes machines for which no encryption data was detected can be seen below. The encryption status of machines for which no data was detected will be marked as "unknown". I included machines that have not been successfully scanned, but excluded XP and other operating systems that don't support BitLocker anyway.
Select Top 1000000 Coalesce(tsysOS.Image, 'notscanned.png') As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.Firstseen,
tblAssets.Lastseen,
SubQuery1.Lasttime As LastEncryptionScan,
tblEncryptableVolume.DriveLetter,
Case When tblAssets.AssetID Not In (Select tblEncryptableVolume.AssetId
From tblEncryptableVolume) Then 'unknown'
When tblEncryptableVolume.ProtectionStatus = 0 Then 'OFF'
When tblEncryptableVolume.ProtectionStatus = 1 Then 'ON' Else 'UNKNOWN'
End As ProtectionStatus,
tblEncryptableVolume.LastChanged
From tblEncryptableVolume
Right Join tblAssets On tblEncryptableVolume.AssetId = tblAssets.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 TsysLastscan.AssetID,
TsysLastscan.Lasttime
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Where TsysWaittime.CFGname = 'encryptablevolume') SubQuery1
On SubQuery1.AssetID = tblAssets.AssetID
Where tblAssets.AssetID Not In (Select tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where (tsysOS.OSname Like '%2000%') Or
(tsysOS.OSname Like '%2003%') Or
(tsysOS.OSname Like '%xp%')) And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName,
tblEncryptableVolume.DriveLetter
sukaitsu
Champion Sweeper
Hey,

I'm the creator of the report I think you are talking about. The report was originally written for our environment and we have to look for more encryption methods than just BitLocker. So you need it only look for Bitlocker and include the false positives that may not show the flag for encryption (IE Null Value)?

Thank you,

Jeffrey
Thank you, Jeffrey Smith Enterprise Applications Security (319) 499-6310 JefSmith@geico.com