Question here Does anyone knows exactly what the `protection osquery #windows

Question here! Does anyone knows exactly what the ...

Julian Scala

09/11/2020, 6:33 PM

Question here! Does anyone knows exactly what the

protection_status

column on

bitlocker_info

represents? I am trying to figure a query that gets either if Bitlocker is enabled or not. I was using that column to be

as Bitlocker is enabled but now I am seeing results with

but Bitlocker is in fact enabled.

Julian Scala

09/11/2020, 6:48 PM

Would

encryption_method

!= “None” mean bitlocker is enabled?

sundsta

09/11/2020, 6:54 PM

protection_status

can be 0 if the drive isn’t finished encrypting yet

Julian Scala

09/11/2020, 6:55 PM

Yah, but that does not mean that bitlocker is enabled or not.

Julian Scala

09/11/2020, 6:55 PM

Can be half encrypted and enabled or half encrypted but disabled

sundsta

09/11/2020, 6:55 PM

My personal filter is checking

percentage_encrypted == '100'

because unless it’s 100% done, I consider it not encrypted

Julian Scala

09/11/2020, 6:56 PM

But again, I need to know either Bitlocker is enabled or not, I have another query for the percent and the encryption status.

sundsta

09/11/2020, 6:57 PM

You probably want to check

conversion_status

then in addition to

protection_status

. I don’t remember all of the values it could be, but that should tell if it is in the process of encrypting which would indicate bitlocker is enabled

Julian Scala

09/11/2020, 8:47 PM

Is there a place to check

conversion_status

result meanings?

sundsta

09/11/2020, 8:59 PM

https://docs.microsoft.com/en-us/windows/win32/secprov/getconversionstatus-win32-encryptablevolume#parameters

Julian Scala

09/11/2020, 9:00 PM

Amazing! Thank you!

sundsta

09/11/2020, 9:00 PM

A lot of the windows specific tables are just WMI queries, so TechNet is the best place to look up possible values

6 Views

Open in Slack

Previous Next