mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 16:39:01 +00:00
02437a098e
Closes: #19271 Closes: #19286 Changes: - Updated the example in the schema folder readme - Updated the block scalar used in Fleet's osquery override documentation (`>-` » `|-`) and removed extra newlines - Updated the block scalar used in URLs used to create new yaml override files - Regenerated osqeury_fleet_schema.json
32 lines
1.4 KiB
YAML
32 lines
1.4 KiB
YAML
name: bitlocker_info
|
|
examples: |-
|
|
Full Disk Encryption (FDE) reduces the risk of compromise when a device is lost or stolen. This query lists any system that does not have BitLocker enabled on its OS drive (typically `C:`).
|
|
|
|
```
|
|
SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status != 1;
|
|
```
|
|
|
|
|
|
notes: |-
|
|
* `protection_status` is quite nuanced - from the [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/secprov/getprotectionstatus-win32-encryptablevolume#parameters):
|
|
|
|
`protection_status = 0`
|
|
|
|
For an Internal HD:
|
|
The volume is unencrypted, partially encrypted, or the volume's encryption key is available in the clear on the hard disk.
|
|
|
|
For an External HD:
|
|
The band for the volume is perpetually unlocked, has no key manager, or is managed by a third party key manager.
|
|
This can also mean that the band is managed by BitLocker but the DisableKeyProtectors method has been called and the drive is suspended.
|
|
|
|
`protection_status = 1`
|
|
|
|
For an Internal HD:
|
|
The volume is fully encrypted and the encryption key for the volume is not available in the clear on the hard disk.
|
|
|
|
For an External HD:
|
|
BitLocker is the key manager for the band. The drive can be locked or unlocked but cannot be perpetually unlocked.
|
|
|
|
`protection_status = 2`
|
|
|
|
The volume protection status cannot be determined. This can be caused by the volume being in a locked state.
|