Bitlocker SSD Vulnerability

, ,

Bitlocker SSD Vulnerability

Hey all this is a super short and easy blogpost. Recently we saw some chatter online about a bitlocker ssd vulnerability. You can read about it here. Many environments will have concerns about how you can identify these systems, and how to report on this topic for management.  At my customers site we leverage the Compliance item created by my PFE @Brandon Linton. This compliance Item is useful for inventorying bit-locker status and inventorying hard drive media type. You can read about the compliance item on his blog.

in my SQL query / SSRS I’m reporting on more than just the bitlocker issue, but also a few other security features. I kind of like to always be able to see what is encrypted vs not, what is UEFI vs BIOS, Secureboot vs not, etc.

select  distinct

       VRS.NetBios_Name0 [System Name],

                 VRS.AD_Site_Name0 AS [AD Site Name],

       CSD.Model00 AS [System Model],

       CASE OSD.Version00 

                     WHEN '6.1.7601' THEN 'Windows 7'

                     WHEN '10.0.10586' THEN '1511'

                     WHEN '10.0.14393' THEN '1607'

                     WHEN '10.0.15063' THEN '1703'

                     WHEN '10.0.16299' THEN '1709'

                     WHEN '10.0.17134' then '1803'

      END AS [Windows Version],

       Case SMS_G_System_FIRMWARE.UEFI00

              When '0' THEN 'Legacy'

              WHEN '1' THEN 'UEFI'

       END AS [UEFI Information],

       CASE SMS_G_System_FIRMWARE.SecureBoot00

              WHEN '0' THEN 'Off'

              WHEN '1' THEN 'Secure Boot'

       END AS [Secure Boot Status],

       CASE EV.ProtectionStatus00

              WHEN '0' THEN 'not encrypted'

              WHEN '1' THEN 'encrypted'

        WHEN '2' THEN 'Encrypted Requires Pin'

       END AS [Bitlocker Status],


          BLE.Bustype0, -- 

          BLE.disktype0 AS [Disk Type],


          BLE.EncryptionMethod0 AS [Encryption Method],


                    -- WHEN BLE.EncryptionMethod0 = 'None' THEN 'ENCRYPT NOW' -- did not use this b/c many systems not reported encryption method data back

                    WHEN EV.ProtectionStatus00 = '0' THEN 'Encrypt Now'

                    WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 = 'Aes256Diffuser' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 IS NULL THEN 'Not Inventoried'

                                 WHEN BLE.EncryptionMethod0 = 'XtsAes128' THEN 'Not Vulnerable'

                    WHEN BLE.disktype0 = 'SSD' AND BLE.EncryptionMethod0 = 'HardwareEncryption' THEN 'Vulnerable'

                                 ELSE 'Not Vulnerable'

          END AS [Vulnerable],


                    WHEN dg.VirtualizationBasedSecurityS0 = '0' THEN 'VBS Not Enabled' -- 

                    WHEN dg.VirtualizationBasedSecurityS0 = '1' THEN 'VBS is Enabled, but not running'

                    WHEN dg.VirtualizationBasedSecurityS0 = '2' THEN 'VBS is enabled and running' -- cred guard running

          END AS [Credential Guard]


       v_R_System_Valid AS VRS 

       INNER JOIN Computer_System_DATA AS CSD ON CSD.MachineID = VRS.ResourceID 

       INNER JOIN Firmware_DATA AS SMS_G_System_FIRMWARE ON SMS_G_System_FIRMWARE.MachineID = VRS.ResourceID

       INNER JOIN Operating_System_DATA AS OSD ON OSD.MachineID = VRS.ResourceID  


       LEFT JOIN v_FullCollectionMembership_Valid AS VCM on VRS.ResourceID = VCM.ResourceID

          LEFT JOIN V_GS_BitLockerExtended AS BLE on BLE.ResourceID = VRS.ResourceID

          LEFT JOIN v_GS_DEVICE_GUARD AS DG on DG.ResourceID = VRS.ResourceID


       EV.DriveLetter00 = 'C:'

       -- AND CSD.Model00 not in ('VMware Virtual Platform', 'Virtual Machine', 'VMware7,1')

       AND EV.ProtectionStatus00 IS NOT NULL

          AND SMS_G_System_FIRMWARE.SecureBoot00 IS NOT NULL

          AND dg.VirtualizationBasedSecurityS0 is not null

       --AND BLE.disktype0 = 'SSD'

       --AND EV.ProtectionStatus00 = '0' -- not encrypted 

       --AND EV.ProtectionStatus00 = '1' -- encrypted

Example of Query Results:


Example of Reporting: Bitlocker SSD Vulnerability


I believe there is a CU that is coming out to remediate a few things. So this may be obsolete soon.

ALSO CHECK: Leverage Windows Analytics for Modern Ops 

Remediate unquoted service path vulnerability via compliance item.

, , , , , ,

Remediate unquoted service path vulnerability

I have now been to three different environments that have this vulnerability. In all three environments this was one of the top offenders per total count of vulnerability. This not something that is necessary a problem that will cause outages if not patched, but potential for malicious programs to run.There are already published posts with great explanation of the vulnerability from CommonExploits, and Tennable. The scope of this blog post will be how to identify the vulnerability, how to manually remediate it, and how to auto-remediate it via the compliance item.


To identify unquoted service path vulnerabilities locally on your system: 
Launch Elevated powershell > type the comand below


cmd /c  ‘wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows\” |findstr /i /v “””‘

Below we see that we do have 1 item that is vulnerable. 

unquoted service path

This is what the ACAS Scans are finding however it does not tell you where to correct this within the registry. To remediate this we will have to locate the object within the registry and add quotes to the path. I  believe there is a way to configure reporting to be more verbose to include the registry location but I am unfamiliar with the ACAS tool. 



unquoted service path
Manual Fix
          Launch Regedit.exe as Admin
          Navigate to HKLMSystemCurrentControlSetServices
          Search by Edit > Find > and enter the vulnerability. For our example we will search “AERTSr64”
          Select the string for our vulnerability
          Add quotes around the value


unquoted service path
unquoted service path


NOTE: there is no screenshot for finding this on ACAS scans as it is remediated

Automated Fix via Compliance Item

We will create a compliance Item to discovery systems with the unquoted service path vulnerability and then remediate it. 

Discovery Script 


$value = cmd /c  ‘wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows\” |findstr /i /v “””‘
if ($value -like “* *”)















unquoted service path

Remediation Script 

Option Explicit
Const HKLM = &H80000002
Dim objWMIService
Dim colServices, objService
Dim strComputer
dim quote: quote=chr(34)
Dim strPathName
Dim strCommand,strArgs,message
Dim bBatch: bBatch = False
dim wshShell:Set wshShell = WScript.CreateObject(“WScript.Shell”)
Dim i, iCount, objReg
Dim bDebug:bDebug = False
‘If not CScript, re-run with cscript…
If (Not IsCScript()) Then
                For i  = WScript.Arguments.Count -1 to  0 Step -1
                                strArgs = WScript.Arguments(i) & Space(1) &  strArgs
                WshShell.Run “CScript.exe ” & quote & WScript.ScriptFullName & quote & space(1) & strArgs, 1, true
    WScript.Quit                  ‘…and stop running as WScript
End If
If WScript.Arguments.Count = 1 Then
                bBatch = True
                strComputer = WScript.Arguments(0)
                strComputer = wshShell.ExpandEnvironmentStrings(“%COMPUTERNAME%”)
End If
If strComputer = “” Then WScript.Quit
strComputer = UCase(strComputer)
If Not bDebug Then
                WScript.Echo iCount & ” Unquoted Service Path(s) were fixed on ” & strComputer
End If
”””””’ Functions and Subs ”””””””””
                ‘WMI connection
                On Error Resume Next
                Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer& “rootcimv2”)
                If Err.Number <> 0 Then
                                message = “Error reaching or connecting to ” & strComputer
                                If not bBatch Then
                                                MsgBox message, vbcritical + vbinformation,”Failure”
                                                WScript.Echo message
                                End If
                End If
                On Error GoTo 0
End Sub
Sub  Main()
                On Error Resume Next
                Set objReg = GetObject(“winmgmts:\” & strComputer & “rootdefault:StdRegProv”)
                Set colServices = objWMIService.ExecQuery (“SELECT pathname,displayname FROM Win32_Service”)
                iCount = 0
                For Each objService in colServices
                                strCommand = “”
                                strArgs = “”
                                strPathName = objService.PathName
                                ‘Parse the Pathname, which is the command
                                ‘This is a little complicated.
                                Dim iLastSlash, iProgEnd
                                ‘find the last character
                                iLastSlash = InStrRev(strPathName,””)
                                ‘look for a space beginning at last , put location in iProgEnd
                                iProgEnd = InStr(iLastSlash,strPathName,Space(1))
                                ‘iProgEnd will be zero if no arguments
                                If iProgEnd > 1 Then
                                                strArgs= trim(Mid(strPathName,iProgEnd))
                                                strCommand = strPathName
                                End        If
                                If Left(strPathName,1) <> quote And InStr(strCommand,Space(1)) Then
                                                wscript.echo “Found ” & objService.DisplayName & ” Service with command line:” & _
                                                               VbCrLf & vbtab & objService.PathName
                                                FixService objService.Name, strCommand, strArgs
                                End If
End Sub
Sub FixService (strSvsName, strCommand,strArgs)
                If bDebug Then Exit Sub
                ‘add a space only if there are arguments
                If Len(strArgs) > 0 Then strArgs = strArgs & Space(1) & strArgs
                Dim strValue
                Dim strRegPath,strImagePath
                strRegPath= “SYSTEMCurrentControlSetServices”& strSvsName
                strImagePath = quote  & strCommand & quote & strArgs
                WScript.Echo “Setting Command line to ” & strImagePath
                objReg.SetExpandedStringValue HKLM,strRegPath,”ImagePath”,strImagePath
                iCount = iCount +1
End Sub
Function IsCScript()
    If (InStr(UCase(WScript.FullName), “CSCRIPT”) <> 0) Then
        IsCScript = True
        IsCScript = False
    End If

End Function

unquoted service path

At this point go ahead and deploy the configuration item you have just created. I would recommend only performing this against workstations but only after serious testing. 

Unfortunately I forgot to take a screenshot when I fist deployed this compliance item, but I do have one after half the systems checked for policy.

unquoted service path

 After systems get policy we are now looking at a very high remediation percentage.

unquoted service path
NOTE: this will run on its own automatically but you can individually set this to run. This will be by launching the configmr client > Configurations Tab > Select the compliance item > Evaluate
unquoted service path
This is what a successful report looks like for the configuration item.
unquoted service path

The compliance item can be downloaded on Technet here.

I would like to thank Khalid Al Alul, and Ricky Richard for their time in working on this configuration item.

Start Windows Update Service Compliance item

, ,

I have seen some environments where they only monitor services but not force them to restart. The logic in here can be used for any other service needed. This is especially helpful for the McAfee Framework Agent and WDS Service in the event the service has stopped. You are able to download a copy of the functional compliance item at the bottom of this post.

First we will stop the service and verify in a number of ways that the service is not running.

1. Powershell

get-service -serviceName wuauserv

2. Launching Services.MSC & searching for Windows Update

3. WMI Explorer

Creating the configuration item

Discovery Script

If ((get-service -name wuauserv).status -eq “Running”) {write-host “true”} Else {write-host “false”}

Remediation Script

get-service -name wuauserv | start-service

Compliance Setting

Create your own configuration baseline and associate it with the configuration we just created.

On my test machine you can see from the earlier screenshots that we WUAUServ was not running. This is reflected as “Not Compliant” in my evaluation.

Select Evaluate and after a refresh I see the system is now compliant meaning this service has been started.

You can track the Compliance item in the log files below.
DCMAgent.log: Records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications.
CIAgent.log: Records details about the process of remediation and compliance for compliance settings, software updates, and application management.
CMReporting.log : Records information about reporting policy platform results into state messages for configuration items.
DcmWmiProvider.log Records information about reading configuration item synclets from Windows Management Instrumentation (WMI).

EXTRA: I love status messages so here is how you check that.

From SCCM Console search for your compliance Item and make sure you grab the CI Unique ID

Open up the StateMesage.log and filter for the below


Please follow the link below to my TechNet page where you can download this compliance item.