Need command to identify BitLocker is managed by Sophos Encryption on the PC itself

I have identified a problem with Sophos Encryption, and I need to do a validation before bringing it up with Support as an issue.  I can run a powershell command (as seen below) to find the encryption status however it doesn't tell me that it was Sophos which encrypted it.  Is there a command or registry key I can pull to confirm that it is actually Sophos Encryption that encrypted the drive or that it is at least activated?

I cannot depend on Sophos Central if you have guessed it because the problem I'm facing is that Sophos Central shows no indication of errors or fault, but it is not encrypted properly, and I can confirm because these computers do not get the pin request and boot authentication request and yet Sophos Central has no errors.

Command used: manage-bde -status c: 


Good Result

Volume C: []
[OS Volume]

Size: 476.07 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 256
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM And PIN
Numerical Password

Bad Result

Volume C: [OS]
[OS Volume]

Size: 464.29 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors: None Found

What I want to do is run a PowerShell script across all endpoints, and if I see that Sophos Encrypted the drive but it comes up with something like Used Space Only (which is wrong in the policy) or it uses AES128 then it should report back as a problem.  I have no problem writing this, but without confirming that the endpoint has Sophos Encryption and that it actually activated on the computer itself I can't go any further.  

Any help is greatly appreciated.



Added Tags
[edited by: GlennSen at 7:51 AM (GMT -8) on 4 Nov 2024]
Parents
  • As far as I am aware, The Sophos Device Encryption Product just calls into Bitlocker APIs to manage it.

    "C:\ProgramData\Sophos\Sophos Data Protection\Logs\Telemetry\telemetryStatus.json" might offer something as might the CDE.log file:

    "C:\ProgramData\Sophos\Sophos Data Protection\Logs\CDE.log" for example:

    <timestamp>: [INFO] TPM and PIN protector installation confirmed by user.
    <timestamp>: [INFO] Encrypting boot volume after hardware test, encryption type Full

    The process is to encrypt with hardware test.  So I believe the workflow is the client gets the policy to encrypt.  The user gets prompted for PIN.
    The computer is restarted, which is when the hardware test takes place.

    <timestamp>: [INFO] Boot volume is no longer fully decrypted, clearing hardware test status.

    <timestamp>[INFO] Volume encryption status changed for volume \\?\Volume{f213d457-c000-4f67-a0a4-30069f2fb280}\: MountPoint: C: --> C:. VolumeLabel: Windows --> Windows. FileSystem: NTFS --> NTFS. IsBootVolume: True --> True. EncryptionState: Encrypting --> Encrypted. EncryptedSince: 01/01/0001 00:00:00 --> 28/11/2023 11:44:42. EncryptionMethod: XtsAes256 --> XtsAes256. SuspensionStatus: NotSuspended --> NotSuspended. AuthenticationType: TpmAndPin --> TpmAndPin.

    Maybe you can find a marker in there. The EncryptedSince might be of use.

Reply
  • As far as I am aware, The Sophos Device Encryption Product just calls into Bitlocker APIs to manage it.

    "C:\ProgramData\Sophos\Sophos Data Protection\Logs\Telemetry\telemetryStatus.json" might offer something as might the CDE.log file:

    "C:\ProgramData\Sophos\Sophos Data Protection\Logs\CDE.log" for example:

    <timestamp>: [INFO] TPM and PIN protector installation confirmed by user.
    <timestamp>: [INFO] Encrypting boot volume after hardware test, encryption type Full

    The process is to encrypt with hardware test.  So I believe the workflow is the client gets the policy to encrypt.  The user gets prompted for PIN.
    The computer is restarted, which is when the hardware test takes place.

    <timestamp>: [INFO] Boot volume is no longer fully decrypted, clearing hardware test status.

    <timestamp>[INFO] Volume encryption status changed for volume \\?\Volume{f213d457-c000-4f67-a0a4-30069f2fb280}\: MountPoint: C: --> C:. VolumeLabel: Windows --> Windows. FileSystem: NTFS --> NTFS. IsBootVolume: True --> True. EncryptionState: Encrypting --> Encrypted. EncryptedSince: 01/01/0001 00:00:00 --> 28/11/2023 11:44:42. EncryptionMethod: XtsAes256 --> XtsAes256. SuspensionStatus: NotSuspended --> NotSuspended. AuthenticationType: TpmAndPin --> TpmAndPin.

    Maybe you can find a marker in there. The EncryptedSince might be of use.

Children
No Data