Approved

Live Discover Query - BitLocker

  REVIEWED by Sophos 

The first query will show for Windows devices if any drive has been encrypted using BitLocker:

select
   drive_letter as "Drive Letter",
   case protection_status when "1"
      then "ENABLED"
      else "DISABLED"
      end "Protection Status",
   encryption_method "Encryption Method"
from bitlocker_info
where drive_letter LIKE "_:"

 

The second query will identify drives that have been encrypted utilizing hardware encryption via BitLocker:

select 
   drive_letter as "Drive Letter", 
   case protection_status when "1" 
      then "ENABLED" 
      else "DISABLED" 
      end "Protection Status", 
   encryption_method "Encryption Method" 
from bitlocker_info 
where drive_letter LIKE "_:" AND encryption_method like 'HARDWARE%'

These drives could be affected by a security risk which was discovered by the Radboud University, see: https://community.sophos.com/kb/en-us/133070