RE: [mssms] Compliance setting for Bitlocker Encryption Method

[Daniel Ratliff]

Remove the –computername parameter.

Daniel Ratliff

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Steve Whitcher
Sent: Friday, March 6, 2015 3:19 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Compliance setting for Bitlocker Encryption Method

I changed my compliance setting from using a WQL query to using a script, and 
added another setting to check the encryption method.  It looks like there's a 
permission issue of some sort though.  The DCMWMIProvider.log is showing an 
access denied error:

    In-line script returned error output: Get-WMIObject : Access is denied. 
(Exception from HRESULT: 0x80070005
(E_ACCESSDENIED))
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:1 char:10
+ $Drive = Get-WMIObject -computername len4231 -namespace
root\cimv2\security\micr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedA
   ccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
   erShell.Commands.GetWmiObjectCommand

You cannot call a method on a null-valued expression.
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:2 char:1
+ $Drive.GetProtectionStatus().ProtectionStatus
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

            ScriptProvider 3/6/2015 1:45:31 PM  1904 (0x0770)
A script execution error has occurred. The script has no output in stdout and 
an error message in stderr.            ScriptProvider 3/6/2015 1:45:31 PM  1904 
(0x0770)
ScriptProvider::CreateInstanceEnumAsync - Script Execution Returned 
:4294967295, Error Message:Get-WMIObject : Access is denied. (Exception from 
HRESULT: 0x80070005
(E_ACCESSDENIED))
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:1 char:10
+ $Drive = Get-WMIObject -computername len4231 -namespace
root\cimv2\security\micr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedA
   ccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
   erShell.Commands.GetWmiObjectCommand

You cannot call a method on a null-valued expression.
At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:2 char:1
+ $Drive.GetProtectionStatus().ProtectionStatus
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

            ScriptProvider 3/6/2015 1:45:31 PM  1904 (0x0770)
Failed in discovering instance.
Application requirement evaluation or detection failed (Error: 87D00329; 
Source: CCM)   ScriptProvider 3/6/2015 1:45:31 PM     1904 (0x0770)
Failed to do HandleExecQueryAsync().
Application requirement evaluation or detection failed (Error: 87D00329; 
Source: CCM)   ScriptProvider 3/6/2015 1:45:31 PM     1904 (0x0770)
Failed to process CScriptProvider::GExecQueryAsync.
Application requirement evaluation or detection failed (Error: 87D00329; 
Source: CCM)   ScriptProvider 3/6/2015 1:45:31 PM     1904 (0x0770)


On Fri, Mar 6, 2015 at 1:05 PM, Lindsay, Charles 
<charles.lind...@dot.state.fl.us<mailto:charles.lind...@dot.state.fl.us>> wrote:
Sorry that I didn’t define that better…

Yes, it’s with a script.  I’m using a PowerShell script in our environment to 
handle identifying what’s encrypted and what isn’t and the script is contained 
within a Configuration Item for evaluation.  As long as the string returned by 
the script matches what the Configuration Item is looking for, then the 
configuration item will report the item as compliant.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Steve Whitcher
Sent: Friday, March 06, 2015 1:41 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Compliance setting for Bitlocker Encryption Method

Thanks Charles.  I came across that method after posting, but if I understand 
correctly there is no way to invoke a method from a WQL query.  I think I can 
set the compliance setting up to run a script though, instead of a WQL query, 
so that might be the way to get what I need.

On Fri, Mar 6, 2015 at 12:19 PM, Lindsay, Charles 
<charles.lind...@dot.state.fl.us<mailto:charles.lind...@dot.state.fl.us>> wrote:
That particular WMI class contains the “GetEncryptionMethod” which will return 
a value representing the encryption method according to the list of values on 
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376434(v=vs.85).aspx.

Use the instance in calling the method and that will give you the information 
that you’re looking for.  For example…


PS C:\WINDOWS\system32> $drive = Get-WmiObject -Namespace 
root\cimv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume | 
WHERE {$_.DriveLetter -eq "C:"}

PS C:\WINDOWS\system32> $drive.GetEncryptionMethod()


__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 2
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
EncryptionMethod : 1
ReturnValue      : 0
PSComputerName   :




PS C:\WINDOWS\system32>


[EncryptionMethod : 1] defines that the volume is encrypted using AES 128.

Thanks,
Charles Lindsay II
Network Analyst

Florida Department of Transportation,
Enterprise Services - Technology Services and Support Office
11201 N. McKinley Drive, Tampa, FL 33612
Ph: (813) 975-6299<tel:%28813%29%20975-6299> Email: 
charles.lind...@dot.state.fl.us<mailto:charles.lind...@dot.state.fl.us>
Enterprise Services: CO-TSSO ECAS Enterprise 
Services<mailto:co-tssoecasenterpriseservi...@dot.state.fl.us>

How am I doing? Please contact my supervisor Connie Kindberg at 
connie.kindb...@dot.state.fl.us<mailto:connie.kindb...@dot.state.fl.us> with 
any feedback.
Computer problem? Contact the Service Desk @ 1-866-955-4357<tel:1-866-955-4357> 
or email 
fdot.serviced...@dot.state.fl.us<mailto:fdot.serviced...@dot.state.fl.us> for 
service.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Steve Whitcher
Sent: Friday, March 06, 2015 1:01 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] Compliance setting for Bitlocker Encryption Method

I have a compliance settings configured to check whether the C drive on our 
laptops is bitlocker encrypted, based on a WQL query of Win32_EncryptableVolume 
in the root\cimv2\security\MicrosoftVolumeEncryption namespace.  I'd like to be 
able to add a check for the Encryption Method as well (should be AES 256), but 
that wmi object doesn't seem to include this info.


Anyone know how I could create a compliance setting to check the encryption 
method?








The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material.  If you receive this 
material/information in error,
please contact the sender and delete or destroy the material/information.