Bitlocker SSD Vulnerability

, ,

Bitlocker SSD Vulnerability

Hey all this is a super short and easy blogpost. Recently we saw some chatter online about a bitlocker ssd vulnerability. You can read about it here. Many environments will have concerns about how you can identify these systems, and how to report on this topic for management.  At my customers site we leverage the Compliance item created by my PFE @Brandon Linton. This compliance Item is useful for inventorying bit-locker status and inventorying hard drive media type. You can read about the compliance item on his blog.

in my SQL query / SSRS I’m reporting on more than just the bitlocker issue, but also a few other security features. I kind of like to always be able to see what is encrypted vs not, what is UEFI vs BIOS, Secureboot vs not, etc.

select  distinct

       VRS.NetBios_Name0 [System Name],

                 VRS.AD_Site_Name0 AS [AD Site Name],

       CSD.Model00 AS [System Model],

       CASE OSD.Version00 

                     WHEN '6.1.7601' THEN 'Windows 7'

                     WHEN '10.0.10586' THEN '1511'

                     WHEN '10.0.14393' THEN '1607'

                     WHEN '10.0.15063' THEN '1703'

                     WHEN '10.0.16299' THEN '1709'

                     WHEN '10.0.17134' then '1803'

      END AS [Windows Version],

       Case SMS_G_System_FIRMWARE.UEFI00

              When '0' THEN 'Legacy'

              WHEN '1' THEN 'UEFI'

       END AS [UEFI Information],

       CASE SMS_G_System_FIRMWARE.SecureBoot00

              WHEN '0' THEN 'Off'

              WHEN '1' THEN 'Secure Boot'

       END AS [Secure Boot Status],

       CASE EV.ProtectionStatus00

              WHEN '0' THEN 'not encrypted'

              WHEN '1' THEN 'encrypted'

        WHEN '2' THEN 'Encrypted Requires Pin'

       END AS [Bitlocker Status],


          BLE.Bustype0, -- 

          BLE.disktype0 AS [Disk Type],


          BLE.EncryptionMethod0 AS [Encryption Method],


                    -- WHEN BLE.EncryptionMethod0 = 'None' THEN 'ENCRYPT NOW' -- did not use this b/c many systems not reported encryption method data back

                    WHEN EV.ProtectionStatus00 = '0' THEN 'Encrypt Now'

                    WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 = 'Aes256Diffuser' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 IS NULL THEN 'Not Inventoried'

                                 WHEN BLE.EncryptionMethod0 = 'XtsAes128' THEN 'Not Vulnerable'

                    WHEN BLE.disktype0 = 'SSD' AND BLE.EncryptionMethod0 = 'HardwareEncryption' THEN 'Vulnerable'

                                 ELSE 'Not Vulnerable'

          END AS [Vulnerable],


                    WHEN dg.VirtualizationBasedSecurityS0 = '0' THEN 'VBS Not Enabled' -- 

                    WHEN dg.VirtualizationBasedSecurityS0 = '1' THEN 'VBS is Enabled, but not running'

                    WHEN dg.VirtualizationBasedSecurityS0 = '2' THEN 'VBS is enabled and running' -- cred guard running

          END AS [Credential Guard]


       v_R_System_Valid AS VRS 

       INNER JOIN Computer_System_DATA AS CSD ON CSD.MachineID = VRS.ResourceID 

       INNER JOIN Firmware_DATA AS SMS_G_System_FIRMWARE ON SMS_G_System_FIRMWARE.MachineID = VRS.ResourceID

       INNER JOIN Operating_System_DATA AS OSD ON OSD.MachineID = VRS.ResourceID  


       LEFT JOIN v_FullCollectionMembership_Valid AS VCM on VRS.ResourceID = VCM.ResourceID

          LEFT JOIN V_GS_BitLockerExtended AS BLE on BLE.ResourceID = VRS.ResourceID

          LEFT JOIN v_GS_DEVICE_GUARD AS DG on DG.ResourceID = VRS.ResourceID


       EV.DriveLetter00 = 'C:'

       -- AND CSD.Model00 not in ('VMware Virtual Platform', 'Virtual Machine', 'VMware7,1')

       AND EV.ProtectionStatus00 IS NOT NULL

          AND SMS_G_System_FIRMWARE.SecureBoot00 IS NOT NULL

          AND dg.VirtualizationBasedSecurityS0 is not null

       --AND BLE.disktype0 = 'SSD'

       --AND EV.ProtectionStatus00 = '0' -- not encrypted 

       --AND EV.ProtectionStatus00 = '1' -- encrypted

Example of Query Results:


Example of Reporting: Bitlocker SSD Vulnerability


I believe there is a CU that is coming out to remediate a few things. So this may be obsolete soon.

ALSO CHECK: Leverage Windows Analytics for Modern Ops 

Collection Schedule Query

, , , , ,

SCCM Collection Schedule Queries.

There is no real readable output of the SCCM Collection schedule for us to understand. What is produced  is 16 character string. If you want to really find out what this translated to then you have to look into the SDK for translation. Also, there really are not any good existing reports/queries out there to cover this information via SQL. This is the query I came up with for my customers environment when trying to evaluate their SCCM Collection evaluation problems. Also I will do another blogpost with the sql queries to identify a number of other items to include orphaned collections, SCCM Collection  update types, etc… There is a screenshot in the bottom of this post to give a preview of the information.

Let’s show an example.

There schedule produced “29B66B4000100200” is not readable. You have to look up this information in the SDK to start to get an understanding.

The First “7” digits translate to the effective schedule date for example: Effective 6/22/2015 1:10pm
The last “9” digits translate to the actual schedule that is performed for example: Every 2 hours


SCCM Collection

The code:



CG.SITEID AS [Collection ID],

CASE VC.CollectionType

WHEN 0 THEN ‘Other’

WHEN 1 THEN ‘User’

WHEN 2 THEN ‘Device’

ELSE ‘Unknown’ END AS CollectionType,

CG.schedule, case

WHEN CG.Schedule like ‘%000102000’ THEN ‘Every 1 minute’

WHEN CG.Schedule like ‘%00010A000’ THEN ‘Every 5 mins’

WHEN CG.Schedule like ‘%000114000’ THEN ‘Every 10 mins’

WHEN CG.Schedule like ‘%00011E000’ THEN ‘Every 15 mins’

WHEN CG.Schedule like ‘%000128000’ THEN ‘Every 20 mins’

WHEN CG.Schedule like ‘%000132000’ THEN ‘Every 25 mins’

WHEN CG.Schedule like ‘%00013C000’ THEN ‘Every 30 mins’

WHEN CG.Schedule like ‘%000150000’ THEN ‘Every 40 mins’

WHEN CG.Schedule like ‘%00015A000’ THEN ‘Every 45 mins’

WHEN CG.Schedule like ‘%000100100’ THEN ‘Every 1 hour’

WHEN CG.Schedule like ‘%000100200’ THEN ‘Every 2 hours’

WHEN CG.Schedule like ‘%000100300’ THEN ‘Every 3 hours’

WHEN CG.Schedule like ‘%000100400’ THEN ‘Every 4 hours’

WHEN CG.Schedule like ‘%000100500’ THEN ‘Every 5 hours’

WHEN CG.Schedule like ‘%000100600’ THEN ‘Every 6 hours’

WHEN CG.Schedule like ‘%000100700’ THEN ‘Every 7 hours’

WHEN CG.Schedule like ‘%000100B00’ THEN ‘Every 11 Hours’

WHEN CG.Schedule like ‘%000100C00’ THEN ‘Every 12 Hours’

WHEN CG.Schedule like ‘%000101000’ THEN ‘Every 16 Hours’

WHEN CG.Schedule like ‘%000100008’ THEN ‘Every 1 days’

WHEN CG.Schedule like ‘%000100010’ THEN ‘Every 2 days’

WHEN CG.Schedule like ‘%000100028’ THEN ‘Every 5 days’

WHEN CG.Schedule like ‘%000100038’ THEN ‘Every 7 Days’

WHEN CG.Schedule like ‘%000192000’ THEN ‘1 week’

WHEN CG.Schedule like ‘%000080000’ THEN ‘Update Once’

WHEN CG.SChedule = THEN ‘Manual’

END AS [Update Schedule],

Case VC.RefreshType

when 1 then ‘Manual’

when 2 then ‘Scheduled’

when 4 then ‘Incremental’

when 6 then ‘Scheduled and Incremental’

else ‘Unknown’

end as RefreshType,



dbo.collections_g CG

left join v_collections VC on VC.SiteID = CG.SiteID

–Where CG.CollectionName like ‘%minutes’

order by

CG.Schedule DESC

The results of the query:


SCCM Collection

NOTE: I did not put a case when statement for every possible outcome, only the ones that exist in my customers environment. If you want to look up what schedule is used for a specific SCCM Collection then modify the where statement to site that specific SCCM Collection name.

Here is the SSRS report:

I plan on in the near future releasing a revised version where you can see update times over the last 7 days included.


SCCM Collection


Successfully added DaRT to boot image….or did it?

, , , , , , , , ,
Successfully added DaRT to boot image….or did it? Here is how to identify the problem and  a link to fix it!
I was recently onsite with a customer where the proposed design document included MDOP DaRT integration into the boot images. DaRT is a great tool to have because it gives the engineer the ability to remotely connect to the machine while within the WinPe environment. This particular customer is undergoing a massive and understaffed windows 10 migration where every bit of efficiency really makes a difference on deployment nights.
First a quick review on installing MDOP DaRT, Enabling Monitoring, and creating the boot image.
  1.  Install MDOP DaRT on primary site server
  2.  Copy the Toolsx86/64 cab files into proper directories into the MDT deployment share
  3.  Enable Monitoring on deployment share
Deployment share \SERVERD$DeploymentShare
Ports: 9800 (Event port) 9801 (Data port)

Connect to deployment share > Right click on “Monitoring” > Navigate to Monitoring Tab and fill the check box

Once this is filled you will start to see systems as they image from this view. 
If you are in an environment that is not really using the MDT deployment share you would still open up the MDT toolkit and modify the CustomSettings.INI. This customer is heavily utilizing the MDT Deployment Share with all the settings applied we can access the “Rules” tab and see the setting is automatically applied after we enabled monitoring. The great part about using the deployment share in this scenario is that we can make constant on demand changes and not have to worry about hash mismatch errors like if were working within the MDT toolkit package.
 We are now able to make our DaRT integrated boot image from the console on our primary site server. Begin by selecting “Create Boot Image using MDT” Make sure to select the following optional components “MDAC/ADO Support, and DaRTT”
From this point we distributed the enabled the boot image for PXE deployment, added drivers, and attach it to a task sequence. In the screenshot below you will notice we are missing something? We do not have the “DaRT Remote Control” option that we should have.


NOTE: Sometimes when the boot image is “Successfully” created it does not add the “DaRT” tool. I am able to verify this to be a LIE by looking into the PEMananger.LOG located in my temp folder.


When we look at the command that was ran by accessing the “RunCMD.CMD” we see that only the WinPE-MDAD_EN-US.CAB is the only package even attempted to be added.
You can investigate further by opening up DISM GUI and searching for any trace of DaRT on the boot image. As you can see DaRT did not even attempt to be installed into the wim.
Manually modify boot image to include Dart functionality by using the script below.
HOW TO FIX IT: Johan Arwidmark has a script available online that I have used to inject the Dart into a newly created WIM.


Once we ran the script created by Johan and injected the drivers I was able to start using DaRT tools.
After the USMT toolkit is called and the Gather step starts to run a box on the bottom left will appear  on the system being imaged but minimized. This is your indicator to let you know that you can now use DaRT functionality.


From the Monitoring Node in the deployment workbench right click the computer we are trying to troubleshoot > Select Properties > Select DaRT Remote Control
Do not always take the console UI at face value and always verify with log files. Some occasions the console indicates something was done correctly but you need to check the logs. If this happens then you need to go old school and use the tried/true methods. If you run into a problem always do a quick search b/c the Deployment Research guys might already have a work-around.
To vote for this to be fixed from SCCM team please visit the link below.