Doh! Thanks, that's what I get for testing it manually and then copying and pasting as is...
On Fri, Mar 6, 2015 at 2:41 PM, Daniel Ratliff <[email protected]> wrote: > Remove the –computername parameter. > > > > *Daniel Ratliff* > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Steve Whitcher > *Sent:* Friday, March 6, 2015 3:19 PM > *To:* [email protected] > *Subject:* Re: [mssms] Compliance setting for Bitlocker Encryption Method > > > > I changed my compliance setting from using a WQL query to using a script, > and added another setting to check the encryption method. It looks like > there's a permission issue of some sort though. The DCMWMIProvider.log is > showing an access denied error: > > > > In-line script returned error output: Get-WMIObject : Access is > denied. (Exception from HRESULT: 0x80070005 > > (E_ACCESSDENIED)) > > At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:1 > char:10 > > + $Drive = Get-WMIObject -computername len4231 -namespace > > root\cimv2\security\micr ... > > + > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ~~~ > > + CategoryInfo : NotSpecified: (:) [Get-WmiObject], > UnauthorizedA > > ccessException > > + FullyQualifiedErrorId : > System.UnauthorizedAccessException,Microsoft.Pow > > erShell.Commands.GetWmiObjectCommand > > > > You cannot call a method on a null-valued expression. > > At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:2 > char:1 > > + $Drive.GetProtectionStatus().ProtectionStatus > > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > + CategoryInfo : InvalidOperation: (:) [], RuntimeException > > + FullyQualifiedErrorId : InvokeMethodOnNull > > > > ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770) > > A script execution error has occurred. The script has no output in stdout > and an error message in stderr. ScriptProvider 3/6/2015 1:45:31 > PM 1904 (0x0770) > > ScriptProvider::CreateInstanceEnumAsync - Script Execution Returned > :4294967295, Error Message:Get-WMIObject : Access is denied. (Exception > from HRESULT: 0x80070005 > > (E_ACCESSDENIED)) > > At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:1 > char:10 > > + $Drive = Get-WMIObject -computername len4231 -namespace > > root\cimv2\security\micr ... > > + > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ~~~ > > + CategoryInfo : NotSpecified: (:) [Get-WmiObject], > UnauthorizedA > > ccessException > > + FullyQualifiedErrorId : > System.UnauthorizedAccessException,Microsoft.Pow > > erShell.Commands.GetWmiObjectCommand > > > > You cannot call a method on a null-valued expression. > > At C:\WINDOWS\CCM\SystemTemp\f183aa1e-d7b7-422e-9daf-321a2de17920.ps1:2 > char:1 > > + $Drive.GetProtectionStatus().ProtectionStatus > > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > + CategoryInfo : InvalidOperation: (:) [], RuntimeException > > + FullyQualifiedErrorId : InvokeMethodOnNull > > > > ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770) > > Failed in discovering instance. > > Application requirement evaluation or detection failed (Error: 87D00329; > Source: CCM) ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770) > > Failed to do HandleExecQueryAsync(). > > Application requirement evaluation or detection failed (Error: 87D00329; > Source: CCM) ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770) > > Failed to process CScriptProvider::GExecQueryAsync. > > Application requirement evaluation or detection failed (Error: 87D00329; > Source: CCM) ScriptProvider 3/6/2015 1:45:31 PM 1904 (0x0770) > > > > > > On Fri, Mar 6, 2015 at 1:05 PM, Lindsay, Charles < > [email protected]> wrote: > > Sorry that I didn’t define that better… > > > > Yes, it’s with a script. I’m using a PowerShell script in our environment > to handle identifying what’s encrypted and what isn’t and the script is > contained within a Configuration Item for evaluation. As long as the > string returned by the script matches what the Configuration Item is > looking for, then the configuration item will report the item as compliant. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Steve Whitcher > *Sent:* Friday, March 06, 2015 1:41 PM > *To:* [email protected] > *Subject:* Re: [mssms] Compliance setting for Bitlocker Encryption Method > > > > Thanks Charles. I came across that method after posting, but if I > understand correctly there is no way to invoke a method from a WQL query. > I think I can set the compliance setting up to run a script though, instead > of a WQL query, so that might be the way to get what I need. > > > > On Fri, Mar 6, 2015 at 12:19 PM, Lindsay, Charles < > [email protected]> wrote: > > That particular WMI class contains the “GetEncryptionMethod” which will > return a value representing the encryption method according to the list of > values on > https://msdn.microsoft.com/en-us/library/windows/desktop/aa376434(v=vs.85).aspx > . > > > > Use the instance in calling the method and that will give you the > information that you’re looking for. For example… > > > > > > PS C:\WINDOWS\system32> $drive = Get-WmiObject -Namespace > root\cimv2\Security\MicrosoftVolumeEncryption -Class > Win32_EncryptableVolume | WHERE {$_.DriveLetter -eq "C:"} > > > > PS C:\WINDOWS\system32> $drive.GetEncryptionMethod() > > > > > > __GENUS : 2 > > __CLASS : __PARAMETERS > > __SUPERCLASS : > > __DYNASTY : __PARAMETERS > > __RELPATH : > > __PROPERTY_COUNT : 2 > > __DERIVATION : {} > > __SERVER : > > __NAMESPACE : > > __PATH : > > EncryptionMethod : 1 > > ReturnValue : 0 > > PSComputerName : > > > > > > > > > > PS C:\WINDOWS\system32> > > > > > > [EncryptionMethod : 1] defines that the volume is encrypted using AES 128. > > > > Thanks, > > Charles Lindsay II > > *Network Analyst* > > *Florida Department of Transportation, * > > *Enterprise Services - Technology Services and Support Office* > > *11201 N. McKinley Drive, Tampa, FL 33612* > *Ph*: (813) 975-6299 *Email*: [email protected] > > *Enterprise Services: *CO-TSSO ECAS Enterprise Services > <[email protected]> > > How am I doing? Please contact my supervisor Connie Kindberg at > [email protected] with any feedback. > > Computer problem? Contact the Service Desk @ 1-866-955-4357 or email > [email protected] for service. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Steve Whitcher > *Sent:* Friday, March 06, 2015 1:01 PM > *To:* [email protected] > *Subject:* [mssms] Compliance setting for Bitlocker Encryption Method > > > > I have a compliance settings configured to check whether the C drive on > our laptops is bitlocker encrypted, based on a WQL query of > Win32_EncryptableVolume in the > root\cimv2\security\MicrosoftVolumeEncryption namespace. I'd like to be > able to add a check for the Encryption Method as well (should be AES 256), > but that wmi object doesn't seem to include this info. > > > > > > Anyone know how I could create a compliance setting to check the > encryption method? > > > > > > > > > > > > > > > > The information transmitted is intended only for the person or entity to > which it is addressed > and may contain CONFIDENTIAL material. If you receive this > material/information in error, > please contact the sender and delete or destroy the material/information. > >
