Trying to create an automatic group with one of the revelance statements being able to only allow clients with bitlocker protection status as being on for the system drive.
This works in qna but when I use it in the relevance, it does not.
Q: if (name of operating system = “Win7”) then if (exists wmi “root\CIMv2\Security\MicrosoftVolumeEncryption”) then ((if (exists (select objects “ProtectionStatus, DriveLetter from Win32_EncryptableVolume” of wmi “root\CIMv2\Security\MicrosoftVolumeEncryption”) whose ((integer value of property “ProtectionStatus” of it = 1 AND string value of property “DriveLetter” of it = “C:”) )) then “BitLocker Encrypted” ELSE “BitLocker Problematic”) as string) else “Unknown” else "N/A"
A: BitLocker Encrypted
Are you making this an Analysis property? Relevance for Fixlets/Tasks/Computer Groups must return a true/false answer.
So (assuming your relevance is correct, I don’t have a Win7 handy to check), you could have a group named “Bitlocker Encrypted - Windows 7” with relevance
(name of operating system = "Win7") AND (exists wmi "root\CIMv2\Security\MicrosoftVolumeEncryption" whose (exists select objects "ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose (integer value of property "ProtectionStatus" of it = 1 AND string value of property "DriveLetter" of it = "C:") of it))
I trying to make it a relevance for the automatic group membership. There are 3 criteria for an endpoint to join, 1. It’s a Win7 or Win10 os, 2. It has to have certain characters of it’s computer name be certain characters and 3. It has to have Bitlocker encryption protection on. I have the first 2, but having a problem with the bitlocker piece.
Jason (or anyone else), Can this be made into an analysis too? I’d like the analysis for BitLocker Status to be for the system drive (C:) and not attached flashed drives as well. That way I don’t see “Multiple results”
So, if this statement you mentioned could somehow be combined with this one:
tuple string items (integer values of selects (“ProtectionStatus from win32_EncryptableVolume”) of WMIs “root\CIMv2\Security\MicrosoftVolumeEncryption”) of “Protection Off, Protection On, Protection Unknown”
This is what I have for my environment. Now, granted I have system with Sophos
if((exists structures whose(name of it as lowercase = "portable_battery") of smbios) OR (exists selects "* from Win32_Battery" of wmi) OR (exists selects "* from Win32_PortableBattery" of wmis) OR (exists selects "* from DCIM_Battery" of wmis "root\dcim\sysman"))then(if(exists keys whose(value "DisplayName" of it as string as lowercase starts with "sophos safeguard client") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of ( x64 registries; x32 registries ))then(concatenation "" of ((concatenation ";" of (values "DisplayName" of it as string) & concatenation ";" of (" - ") & concatenation ";" of (values "DisplayVersion" of it as string)) of keys whose (value "DisplayName" of it as string as lowercase contains "sophos") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (registry;native registry)))else(if((exists wmi "root\CIMv2\Security\MicrosoftVolumeEncryption" whose (exists select objects "ProtectionStatus, DriveLetter from Win32_EncryptableVolume" whose (integer value of property "ProtectionStatus" of it = 1 AND string value of property "DriveLetter" of it = "C:") of it)))then("Bitlocker Enabled")else("System Not Encrypted")))else("Desktop")
I figured it out by using some of the relevance in @TheCookieMonster post. Thank you all!
if((exists wmi “root\CIMv2\Security\MicrosoftVolumeEncryption” whose (exists select objects “ProtectionStatus, DriveLetter from Win32_EncryptableVolume” whose (integer value of property “ProtectionStatus” of it = 1 AND string value of property “DriveLetter” of it = “C:”) of it)))then(“Protection On”)else(“Protection Off”)
Another question for you all! I’d like to get the following analysis working the same as the above one, where it’s checking the BitLocker Method, but on C: only:
(if it = 6 then “XTS-AES 128” else if it = 7 then “XTS-AES 256” else “N/A”) of integer values of selects (“EncryptionMethod from win32_EncryptableVolume”) of WMI “root\CIMv2\Security\MicrosoftVolumeEncryption”
Same WMI location but it’s also checking for 2 different values.
It’s fun – you get to use relevance and string interpolation in a WMI query. Here’s our “ProtectionStatus of C:” property.
tuple string items (integer values of selects ("ProtectionStatus from win32_EncryptableVolume WHERE DriveLetter='" & (name of drive of system folder) &"'") of WMIs "root\CIMv2\Security\MicrosoftVolumeEncryption") of "Protection Off, Protection On, Protection Unknown"
That one is similar in a sense that it gets similar results as mine. What my second question was is to get an analysis statement that get’s the EncryptionMethod, but ONLY for C:
Right — mine shows an example of using relevance to add constraints to the WMI query. It returns the results of a different, but similar, lookup than yours, for just the C drive. You can sub in the part from my example to your existing relevance to get you what you need.
It wasn’t exact, but that put me on the right path and made this:
(if it = 6 then “XTS-AES 128” else if it = 7 then “XTS-AES 256” else “N/A”) of (integer values of selects (“EncryptionMethod from win32_EncryptableVolume WHERE DriveLetter=’” & (name of drive of system folder) &"’") of WMIs “root\CIMv2\Security\MicrosoftVolumeEncryption”)
The cool way is to use the method that @alinder used above and get the list of String Equivalents off the MS website for the WMI call:
q: tuple string items (integer values of selects ("EncryptionMethod from win32_EncryptableVolume WHERE DriveLetter='" & (name of drive of system folder) &"'") of WMIs "root\CIMv2\Security\MicrosoftVolumeEncryption") of "None, AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER, AES_128, AES_256, HARDWARE_ENCRYPTION, XTS_AES_128,XTS_AES_256"
A: AES_256
0 turns into None, 1 into AES_128_WITH_DIFFUSER. My C drive is a 4, or AES_256