This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Query to know if a user with Central device encryption has configured his password

Query to know if a user with Central device encryption has configured his password.

I need your help if someone knows how to obtain that information through XDR by a query, we need to know how many computers do not have the password configured in bitlocker.

I have executed the bitlocker info query but it does not show the information. Thanks a lot



This thread was automatically locked due to age.
Parents Reply Children
  • Hello, thank you very much for the answer.
    I will tell you a little about what happened, the encryption with CDE was successful, but a bug with the bios of some Lenovo laptops eliminated the bitlocker password request at startup, the query that you indicate does not tell me if the user I reset the password at startup.

    As we can identify them in Sophos Central, it tells us that there is no problem with the equipment.

    excuse my bad writing in english.

  • Hello Kushal, I hope you are well
    Is there a way to identify the users who do have the PIN set when the laptop is turned on?

  • The information you are looking for does not appear to be recorded into the Data Lake. 

    An alternative would be to run the following powershell command. You can do this using a "Live Discover" session after entering "PowerShell " in the prompt. 
    Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-BitLocker/BitLocker Management";id="789"}  

     The event ID 789 corresponds with the bitlocker pin change.  

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  •  Hi Miguel,  

    depending on what os mean by "eliminated the BitLocker password" you most likely ran into one of the following issues:

    1. Windows simply starts without asking the PIN but the hard disk is encrypted
    2. BitLocker no longer accepts the PIN and I have to use the BitLocker recovery key to start Windows  

    For 1. e.g. BitLocker is no longer asking for the PIN and Windows simply starts then this is most likely because BitLocker was suspended. You can verify this by running manage-bde -status from an administrative command prompt. It should then list your volume C: and its "Protection Status", this can be:

    • Protection On --> this is shown on devices where the PIN entry is active
    • Protection Off (n reboots left) -->  in this case PIN entry is off but the  problem will solve itself after 'n' reboots
    • Protection Off --> most likely the situation in your case, in this case you have to reactivate BitLocker manually using the following command: manage-bde -protectors -enable c: 

    You can identify these devices in Central Device Encryption by going to the Computers view within the Encryption section of Sophos Central and then filter the devices by their Encryption Status, simply select Computers with Device Encryption suspended should show you all the devices that are affected. 

    For the second issue, e.g. if BitLocker however is asking for the BitLocker recovery key on every reboot, then this is most likely caused because the TPM detected some major changes in it boot process (which for example can happen when you perform a BIOS update). To solve this issue you have to perform multiple steps:

    1. Disable BitLocker with the following command: manage-bde -protectors -disable c:
    2. Reboot the computer
    3. Enable BitLocker again with the following command: manage-bde -protectors -enable c: 

    Identifying these devices is slightly more complicated, here you could use the Events Report under Logs & Reports and then only filter for Device Encryption events. Because we revoke the recovery key every time someone displays it, we can use this event to identify the devices that request the BitLocker recovery key on every start, just look for devices with daily "A BitLocker recovery key was revoked..." events.

    I hope this helps.

    Cheers,
    Marcel