Sorry that I didn’t define that better… Yes, it’s with a script. I’m using a PowerShell script in our environment to handle identifying what’s encrypted and what isn’t and the script is contained within a Configuration Item for evaluation. As long as the string returned by the script matches what the Configuration Item is looking for, then the configuration item will report the item as compliant.
From: [email protected] [mailto:[email protected]] On Behalf Of Steve Whitcher Sent: Friday, March 06, 2015 1:41 PM To: [email protected] Subject: Re: [mssms] Compliance setting for Bitlocker Encryption Method Thanks Charles. I came across that method after posting, but if I understand correctly there is no way to invoke a method from a WQL query. I think I can set the compliance setting up to run a script though, instead of a WQL query, so that might be the way to get what I need. On Fri, Mar 6, 2015 at 12:19 PM, Lindsay, Charles <[email protected]<mailto:[email protected]>> wrote: That particular WMI class contains the “GetEncryptionMethod” which will return a value representing the encryption method according to the list of values on https://msdn.microsoft.com/en-us/library/windows/desktop/aa376434(v=vs.85).aspx. Use the instance in calling the method and that will give you the information that you’re looking for. For example… PS C:\WINDOWS\system32> $drive = Get-WmiObject -Namespace root\cimv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume | WHERE {$_.DriveLetter -eq "C:"} PS C:\WINDOWS\system32> $drive.GetEncryptionMethod() __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : EncryptionMethod : 1 ReturnValue : 0 PSComputerName : PS C:\WINDOWS\system32> [EncryptionMethod : 1] defines that the volume is encrypted using AES 128. Thanks, Charles Lindsay II Network Analyst Florida Department of Transportation, Enterprise Services - Technology Services and Support Office 11201 N. McKinley Drive, Tampa, FL 33612 Ph: (813) 975-6299<tel:%28813%29%20975-6299> Email: [email protected]<mailto:[email protected]> Enterprise Services: CO-TSSO ECAS Enterprise Services<mailto:[email protected]> How am I doing? Please contact my supervisor Connie Kindberg at [email protected]<mailto:[email protected]> with any feedback. Computer problem? Contact the Service Desk @ 1-866-955-4357<tel:1-866-955-4357> or email [email protected]<mailto:[email protected]> for service. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Steve Whitcher Sent: Friday, March 06, 2015 1:01 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Compliance setting for Bitlocker Encryption Method I have a compliance settings configured to check whether the C drive on our laptops is bitlocker encrypted, based on a WQL query of Win32_EncryptableVolume in the root\cimv2\security\MicrosoftVolumeEncryption namespace. I'd like to be able to add a check for the Encryption Method as well (should be AES 256), but that wmi object doesn't seem to include this info. Anyone know how I could create a compliance setting to check the encryption method?
