Security Connect 2021 is coming Jun 3. Register for free today!

Bitlocker not enabled

Description: Looks for Bitlocker is not enabled.

What The Data Shows: machines where bitlocker is not enabled. 

SQL:      

select * from bitlocker_info 
where protection_status = 0;
8 Comments
kbrawley
Community Manager
Community Manager

Hi @ksnihur thank you for your contribution!  We'll vet this submission and if it runs as expected we'll change this status of your query from Under Review to CB Approved.

Thanks again!

kbrawley
Community Manager
Community Manager
Status changed to: Approved

Thanks for submitting! This is now CB Approved. 

stympanick
Carbon Black Employee

To build off this (kudos to @jnelson )

 

select drive_letter as "Drive Letter",

       case protection_status

                   when "1" then "ENABLED"

                           else "DISABLED" end "Protection Status"

from bitlocker_info

where protection_status = 0;

 

 

mjw
New Contributor

Is there an approved query to join on the os_version table and filter results to endpoints where os_version.platform = 'windows' and os_version.name NOT LIKE '%SERVER%'?

IE I only want the bitlocker status of non-server Windows systems. 

jnelson
Carbon Black Employee

@mjw when you run a query it will run against all of the endpoints you have selected, per policy or individually, regardless of what the query is.

In the case of Bitlocker, this table is Windows only so it will error out on all other OSs. You can use the filters in the UI to hide the errors in your results. 

gowens
New Contributor

Has anyone tested/validated a similar bitlocker 'enabled' detector for CB-response?

bglaze
New Contributor II

I am trying to do something similar, but want to try to pull from the system_info table to help determine if the machine is a laptop, desktop, or server. The issue I am having is that the "bitlocker_info" table has a "device_id" field, but the "system_info" table does not. Any ideas on how I could possibly run a query on the system_info table which would populate the output with the device_id and device_name, then use that temp output to JOIN with on a bitlocker query? Im a SQL newb so I appreciate the help.

I was trying to do this, but need the query against all systems with the system_info query to get the device_id's:

SELECT b.drive_letter,

       CASE b.protection_status

           WHEN 0 THEN "OFF"

           WHEN 1 THEN "ON (Unlocked)"

           WHEN 2 THEN "ON (Locked)"

       END "Bitlocker Status",

       s.hostname,

       s.cpu_type,

      s.cpu_brand,

       s.cpu_physical_cores,

       s.cpu_logical_cores,

       s.hardware_vendor,

       s.hardware_model,

       s.hardware_version,

       s.hardware_serial

FROM bitlocker_info b JOIN system_info s on b.device_id=s.device_id;

jnelson
Carbon Black Employee

@bglaze Those two tables do not have a column that you can do a JOIN on, but you can "add" to make the JOIN work. This fix only works because these tables only return one row.

WITH b AS (

  SELECT 1 AS 'one', *
  FROM bitlocker_info b),
s AS (
  SELECT 1 AS 'one', *
  FROM system_info)
SELECT b.drive_letter,
       CASE b.protection_status
         WHEN 0 THEN "OFF"
         WHEN 1 THEN "ON (Unlocked)"
         WHEN 2 THEN "ON (Locked)"
       END "Bitlocker Status",
       s.hostname,
       s.cpu_type,
       s.cpu_brand,
       s.cpu_physical_cores,
       s.cpu_logical_cores,
       s.hardware_vendor,
       s.hardware_model,
       s.hardware_version,
       s.hardware_serial
FROM b JOIN s USING(one);