I changed my compliance setting from using a WQL query to using a script,
and added another setting to check the encryption method. It looks like
there's a permission issue of some sort though. The DCMWMIProvider.log is
showing an access denied error:
In-line script returned error output: Get-WMIObject : Access is denied.
(Exception from HRESULT: 0x80070005
(E_ACCESSDENIED))
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:1
char:10
+ $Drive = Get-WMIObject -computername len4231 -namespace
root\cimv2\security\micr ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject],
UnauthorizedA
ccessException
+ FullyQualifiedErrorId :
System.UnauthorizedAccessException,Microsoft.Pow
erShell.Commands.GetWmiObjectCommand
You cannot call a method on a null-valued expression.
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:2
char:1
+ $Drive.GetProtectionStatus().ProtectionStatus
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770)
A script execution error has occurred. The script has no output in stdout
and an error message in stderr. ScriptProvider 3/6/2015 1:45:31 PM 1904
(0x0770)
ScriptProvider::CreateInstanceEnumAsync - Script Execution Returned
:4294967295, Error Message:Get-WMIObject : Access is denied. (Exception
from HRESULT: 0x80070005
(E_ACCESSDENIED))
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:1
char:10
+ $Drive = Get-WMIObject -computername len4231 -namespace
root\cimv2\security\micr ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject],
UnauthorizedA
ccessException
+ FullyQualifiedErrorId :
System.UnauthorizedAccessException,Microsoft.Pow
erShell.Commands.GetWmiObjectCommand
You cannot call a method on a null-valued expression.
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:2
char:1
+ $Drive.GetProtectionStatus().ProtectionStatus
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770)
Failed in discovering instance.
Application requirement evaluation or detection failed (Error: 87D00329;
Source: CCM) ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770)
Failed to do HandleExecQueryAsync().
Application requirement evaluation or detection failed (Error: 87D00329;
Source: CCM) ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770)
Failed to process CScriptProvider::GExecQueryAsync.
Application requirement evaluation or detection failed (Error: 87D00329;
Source: CCM) ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770)
On Fri, Mar 6, 2015 at 1:05 PM, Lindsay, Charles <
[email protected]> wrote:
> Sorry that I didn’t define that better…
>
>
>
> Yes, it’s with a script. I’m using a PowerShell script in our environment
> to handle identifying what’s encrypted and what isn’t and the script is
> contained within a Configuration Item for evaluation. As long as the
> string returned by the script matches what the Configuration Item is
> looking for, then the configuration item will report the item as compliant.
>
>
>
>
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Steve Whitcher
> *Sent:* Friday, March 06, 2015 1:41 PM
> *To:* [email protected]
> *Subject:* Re: [mssms] Compliance setting for Bitlocker Encryption Method
>
>
>
> Thanks Charles. I came across that method after posting, but if I
> understand correctly there is no way to invoke a method from a WQL query.
> I think I can set the compliance setting up to run a script though, instead
> of a WQL query, so that might be the way to get what I need.
>
>
>
> On Fri, Mar 6, 2015 at 12:19 PM, Lindsay, Charles <
> [email protected]> wrote:
>
> That particular WMI class contains the “GetEncryptionMethod” which will
> return a value representing the encryption method according to the list of
> values on
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa376434(v=vs.85).aspx
> .
>
>
>
> Use the instance in calling the method and that will give you the
> information that you’re looking for. For example…
>
>
>
>
>
> PS C:\WINDOWS\system32> $drive = Get-WmiObject -Namespace
> root\cimv2\Security\MicrosoftVolumeEncryption -Class
> Win32_EncryptableVolume | WHERE {$_.DriveLetter -eq "C:"}
>
>
>
> PS C:\WINDOWS\system32> $drive.GetEncryptionMethod()
>
>
>
>
>
> __GENUS : 2
>
> __CLASS : __PARAMETERS
>
> __SUPERCLASS :
>
> __DYNASTY : __PARAMETERS
>
> __RELPATH :
>
> __PROPERTY_COUNT : 2
>
> __DERIVATION : {}
>
> __SERVER :
>
> __NAMESPACE :
>
> __PATH :
>
> EncryptionMethod : 1
>
> ReturnValue : 0
>
> PSComputerName :
>
>
>
>
>
>
>
>
>
> PS C:\WINDOWS\system32>
>
>
>
>
>
> [EncryptionMethod : 1] defines that the volume is encrypted using AES 128.
>
>
>
> Thanks,
>
> Charles Lindsay II
>
> *Network Analyst*
>
> *Florida Department of Transportation, *
>
> *Enterprise Services - Technology Services and Support Office*
>
> *11201 N. McKinley Drive, Tampa, FL 33612*
> *Ph*: (813) 975-6299 *Email*: [email protected]
>
> *Enterprise Services: *CO-TSSO ECAS Enterprise Services
> <[email protected]>
>
> How am I doing? Please contact my supervisor Connie Kindberg at
> [email protected] with any feedback.
>
> Computer problem? Contact the Service Desk @ 1-866-955-4357 or email
> [email protected] for service.
>
>
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Steve Whitcher
> *Sent:* Friday, March 06, 2015 1:01 PM
> *To:* [email protected]
> *Subject:* [mssms] Compliance setting for Bitlocker Encryption Method
>
>
>
> I have a compliance settings configured to check whether the C drive on
> our laptops is bitlocker encrypted, based on a WQL query of
> Win32_EncryptableVolume in the
> root\cimv2\security\MicrosoftVolumeEncryption namespace. I'd like to be
> able to add a check for the Encryption Method as well (should be AES 256),
> but that wmi object doesn't seem to include this info.
>
>
>
>
>
> Anyone know how I could create a compliance setting to check the
> encryption method?
>
>
>
>
>
>
>
>
>
>
