Bitlocker SSD Vulnerability

, ,
ConfigMgr

Bitlocker SSD Vulnerability

Hey all this is a super short and easy blogpost. Recently we saw some chatter online about a bitlocker ssd vulnerability. You can read about it here. Many environments will have concerns about how you can identify these systems, and how to report on this topic for management.  At my customers site we leverage the Compliance item created by my PFE @Brandon Linton. This compliance Item is useful for inventorying bit-locker status and inventorying hard drive media type. You can read about the compliance item on his blog.

in my SQL query / SSRS I’m reporting on more than just the bitlocker issue, but also a few other security features. I kind of like to always be able to see what is encrypted vs not, what is UEFI vs BIOS, Secureboot vs not, etc.

select  distinct
       VRS.NetBios_Name0 [System Name],
                 VRS.AD_Site_Name0 AS [AD Site Name],
       CSD.Model00 AS [System Model],
       CASE OSD.Version00 
                     WHEN '6.1.7601' THEN 'Windows 7'
                     WHEN '10.0.10586' THEN '1511'
                     WHEN '10.0.14393' THEN '1607'
                     WHEN '10.0.15063' THEN '1703'
                     WHEN '10.0.16299' THEN '1709'
                     WHEN '10.0.17134' then '1803'
      END AS [Windows Version],
       Case SMS_G_System_FIRMWARE.UEFI00
              When '0' THEN 'Legacy'
              WHEN '1' THEN 'UEFI'
       END AS [UEFI Information],
       CASE SMS_G_System_FIRMWARE.SecureBoot00
              WHEN '0' THEN 'Off'
              WHEN '1' THEN 'Secure Boot'
       END AS [Secure Boot Status],
       CASE EV.ProtectionStatus00
              WHEN '0' THEN 'not encrypted'
              WHEN '1' THEN 'encrypted'
        WHEN '2' THEN 'Encrypted Requires Pin'
       END AS [Bitlocker Status],
          BLE.VolumeStatus0,
          BLE.Bustype0, -- 
          BLE.disktype0 AS [Disk Type],
          BLE.DiskSize0,
          BLE.EncryptionMethod0 AS [Encryption Method],
          CASE
                    -- WHEN BLE.EncryptionMethod0 = 'None' THEN 'ENCRYPT NOW' -- did not use this b/c many systems not reported encryption method data back
                    WHEN EV.ProtectionStatus00 = '0' THEN 'Encrypt Now'
                    WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'
                                 WHEN BLE.EncryptionMethod0 = 'Aes256Diffuser' THEN 'Not Vulnerable'
                                 WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'
                                 WHEN BLE.EncryptionMethod0 IS NULL THEN 'Not Inventoried'
                                 WHEN BLE.EncryptionMethod0 = 'XtsAes128' THEN 'Not Vulnerable'
                    WHEN BLE.disktype0 = 'SSD' AND BLE.EncryptionMethod0 = 'HardwareEncryption' THEN 'Vulnerable'
                                 ELSE 'Not Vulnerable'
          END AS [Vulnerable],
          CASE
                    WHEN dg.VirtualizationBasedSecurityS0 = '0' THEN 'VBS Not Enabled' -- 
                    WHEN dg.VirtualizationBasedSecurityS0 = '1' THEN 'VBS is Enabled, but not running'
                    WHEN dg.VirtualizationBasedSecurityS0 = '2' THEN 'VBS is enabled and running' -- cred guard running
          END AS [Credential Guard]
from
       v_R_System_Valid AS VRS 
       INNER JOIN Computer_System_DATA AS CSD ON CSD.MachineID = VRS.ResourceID 
       INNER JOIN Firmware_DATA AS SMS_G_System_FIRMWARE ON SMS_G_System_FIRMWARE.MachineID = VRS.ResourceID
       INNER JOIN Operating_System_DATA AS OSD ON OSD.MachineID = VRS.ResourceID  
       INNER JOIN ENCRYPTABLE_VOLUME_DATA AS EV ON EV.MachineID = VRS.ResourceID
       LEFT JOIN v_FullCollectionMembership_Valid AS VCM on VRS.ResourceID = VCM.ResourceID
          LEFT JOIN V_GS_BitLockerExtended AS BLE on BLE.ResourceID = VRS.ResourceID
          LEFT JOIN v_GS_DEVICE_GUARD AS DG on DG.ResourceID = VRS.ResourceID
Where
       EV.DriveLetter00 = 'C:'
       -- AND CSD.Model00 not in ('VMware Virtual Platform', 'Virtual Machine', 'VMware7,1')
       AND EV.ProtectionStatus00 IS NOT NULL
          AND SMS_G_System_FIRMWARE.SecureBoot00 IS NOT NULL
          AND dg.VirtualizationBasedSecurityS0 is not null
       --AND BLE.disktype0 = 'SSD'
       --AND EV.ProtectionStatus00 = '0' -- not encrypted 
       --AND EV.ProtectionStatus00 = '1' -- encrypted

Example of Query Results:

 

Example of Reporting: Bitlocker SSD Vulnerability

 

I believe there is a CU that is coming out to remediate a few things. So this may be obsolete soon.

ALSO CHECK: Leverage Windows Analytics for Modern Ops 

1 reply
  1. Michael
    Michael says:

    Great post, thanks.
    However, I can’t see the WMI class related to VBS and Credential Guard on my 1803 computer. Is it a custom class or something added to a later version of Windows 10?

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

eleven − 1 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.