Query to know if a user with Central device encryption has configured his password

Hi Miguel,

Thanks for reaching out to the Community Forum.

I was able to locate the following Live Discover query which gives lots of information on Bitlocker.
- BitLocker Status

Regarding your question, are you asking about the initial prompt presented by CDE where an end-user is required to enter their account password to begin the encryption process or is this regarding the "Require startup authentication" option?

Hello, thank you very much for the answer.
I will tell you a little about what happened, the encryption with CDE was successful, but a bug with the bios of some Lenovo laptops eliminated the bitlocker password request at startup, the query that you indicate does not tell me if the user I reset the password at startup.

As we can identify them in Sophos Central, it tells us that there is no problem with the equipment.

excuse my bad writing in english.

Hello Kushal, I hope you are well
Is there a way to identify the users who do have the PIN set when the laptop is turned on?

The information you are looking for does not appear to be recorded into the Data Lake. 

An alternative would be to run the following powershell command. You can do this using a "Live Discover" session after entering "PowerShell " in the prompt. 
Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-BitLocker/BitLocker Management";id="789"}  

 The event ID 789 corresponds with the bitlocker pin change.  

 Hi Miguel,  

depending on what os mean by "eliminated the BitLocker password" you most likely ran into one of the following issues:

1. Windows simply starts without asking the PIN but the hard disk is encrypted
2. BitLocker no longer accepts the PIN and I have to use the BitLocker recovery key to start Windows  

For 1. e.g. BitLocker is no longer asking for the PIN and Windows simply starts then this is most likely because BitLocker was suspended. You can verify this by running manage-bde -status from an administrative command prompt. It should then list your volume C: and its "Protection Status", this can be:

• Protection On --> this is shown on devices where the PIN entry is active
• Protection Off (n reboots left) -->  in this case PIN entry is off but the  problem will solve itself after 'n' reboots
• Protection Off --> most likely the situation in your case, in this case you have to reactivate BitLocker manually using the following command: manage-bde -protectors -enable c: 

You can identify these devices in Central Device Encryption by going to the Computers view within the Encryption section of Sophos Central and then filter the devices by their Encryption Status, simply select Computers with Device Encryption suspended should show you all the devices that are affected. 

For the second issue, e.g. if BitLocker however is asking for the BitLocker recovery key on every reboot, then this is most likely caused because the TPM detected some major changes in it boot process (which for example can happen when you perform a BIOS update). To solve this issue you have to perform multiple steps:

1. Disable BitLocker with the following command: manage-bde -protectors -disable c:
2. Reboot the computer
3. Enable BitLocker again with the following command: manage-bde -protectors -enable c: 

Identifying these devices is slightly more complicated, here you could use the Events Report under Logs & Reports and then only filter for Device Encryption events. Because we revoke the recovery key every time someone displays it, we can use this event to identify the devices that request the BitLocker recovery key on every start, just look for devices with daily "A BitLocker recovery key was revoked..." events.

I hope this helps.

Cheers,
Marcel