mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
1f87644a23
* Initial cut of Win tables schema * Add context * Formatting fixes * Add bitlocker_info * Remove temp stuff * Remove temp stuff redux * Apply suggestions from code review Co-authored-by: Guillaume Ross <guillaume@binaryfactory.ca> * Update bitlocker_info.yml * Edited for clarity Co-authored-by: Guillaume Ross <guillaume@binaryfactory.ca>
35 lines
1.4 KiB
YAML
35 lines
1.4 KiB
YAML
name: bitlocker_info
|
|
examples: >-
|
|
Full Disk Encryption (FDE) reduces the risk of compromise when a device is lost or stolen. This query lists any system that does not have BitLocker enabled on its OS drive (typically `C:`).
|
|
|
|
```
|
|
|
|
SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status != 1;
|
|
|
|
```
|
|
|
|
|
|
notes: >-
|
|
* `protection_status` is quite nuanced - from the [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/secprov/getprotectionstatus-win32-encryptablevolume#parameters):
|
|
|
|
`protection_status = 0`
|
|
|
|
For an Internal HD:
|
|
The volume is unencrypted, partially encrypted, or the volume's encryption key is available in the clear on the hard disk.
|
|
|
|
For an External HD:
|
|
The band for the volume is perpetually unlocked, has no key manager, or is managed by a third party key manager.
|
|
This can also mean that the band is managed by BitLocker but the DisableKeyProtectors method has been called and the drive is suspended.
|
|
|
|
`protection_status = 1`
|
|
|
|
For an Internal HD:
|
|
The volume is fully encrypted and the encryption key for the volume is not available in the clear on the hard disk.
|
|
|
|
For an External HD:
|
|
BitLocker is the key manager for the band. The drive can be locked or unlocked but cannot be perpetually unlocked.
|
|
|
|
`protection_status = 2`
|
|
|
|
The volume protection status cannot be determined. This can be caused by the volume being in a locked state.
|