Notification

Icon
Error

Expanded Encrypted Volume Report (UEFI Boot / SecureBoot Status) - This is expanded version of the Encrypted Volume Report

Posted: Thursday, December 12, 2019 3:20:34 PM(UTC)
PeterG

PeterG

Member Original PosterPosts: 104
0
Like
I've created report that shows Boot Mode (UEFI / BIOS) if SecureBoot is Enabled/Disabled and if System Drive is Bitlocker Encrypted or Not.


In order for this report to work it requires a custom registry scan configured as follows:

Rootkey: HKEY_LOCAL_MACHINE
RegPath: SYSTEM\CurrentControlSet\Control\SecureBoot\State
RegValue: UEFISecureBootEnabled



Code:
Select Top 1000000 tsysAssetTypes.AssetTypeIcon16 As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblEncryptableVolume.DriveLetter,
  Case
    When tblEncryptableVolume.ProtectionStatus = 0 Then 'OFF'
    When tblEncryptableVolume.ProtectionStatus = 1 Then 'ON'
    Else 'UNKNOWN'
  End As BitLocker,
  Case
    When tblRegistry.Value = 0 Then 'DISABLED'
    When tblRegistry.Value = 1 Then 'ENABLED'
    Else 'UNKNOWN'
  End As SecureBoot,
  Case
    When tblRegistry.Value Is Null Then 'BIOS'
    Else 'UEFI'
  End As [Boot Mode],
  tblEncryptableVolume.LastChanged,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssetCustom.Location,
  tsysIPLocations.IPLocation,
  tsysOS.OSname As OS,
  tblAssets.SP As SP,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblEncryptableVolume
  Inner Join tblAssets On tblEncryptableVolume.AssetId = tblAssets.AssetID
  Inner Join tsysAssetTypes On tblAssets.Assettype = tsysAssetTypes.AssetType
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join tsysIPLocations On tblAssets.LocationID = tsysIPLocations.LocationID
  Inner Join tblRegistry On tblAssets.AssetID = tblRegistry.AssetID
Where
  tblRegistry.Regkey Like
  'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State' And
  tblRegistry.Valuename = 'UEFISecureBootEnabled'
Order By tblAssets.AssetName
PeterG
#1PeterG Member Original PosterPosts: 104  
posted: 12/16/2019 2:25:59 PM(UTC)
Added Partition Type of System Drive

Code:
Select Top 1000000 tsysAssetTypes.AssetTypeIcon16 As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.IPAddress,
  tblEncryptableVolume.DriveLetter,
  Case
    When tblDiskPartition.Type = 'Installable File System' Then 'MBR'
    When tblDiskPartition.Type = 'GPT: System' Then 'GPT'
    Else 'UNKNOWN'
  End As [System Partition],
  Case
    When tblEncryptableVolume.ProtectionStatus = 0 Then 'OFF'
    When tblEncryptableVolume.ProtectionStatus = 1 Then 'ON'
    Else 'UNKNOWN'
  End As BitLocker,
  Case
    When tblRegistry.Value = 0 Then 'DISABLED'
    When tblRegistry.Value = 1 Then 'ENABLED'
    Else 'UNKNOWN'
  End As SecureBoot,
  Case
    When tblRegistry.Value Is Null Then 'BIOS'
    Else 'UEFI'
  End As [Boot Mode],
  tblEncryptableVolume.LastChanged,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Description,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysIPLocations.IPLocation,
  tsysOS.OSname As OS,
  tblAssets.SP As SP,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblEncryptableVolume
  Inner Join tblAssets On tblEncryptableVolume.AssetId = tblAssets.AssetID
  Inner Join tsysAssetTypes On tblAssets.Assettype = tsysAssetTypes.AssetType
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join tsysIPLocations On tblAssets.LocationID = tsysIPLocations.LocationID
  Inner Join tblRegistry On tblAssets.AssetID = tblRegistry.AssetID
  Inner Join tblDiskPartition On tblAssets.AssetID = tblDiskPartition.AssetID
Where (tblDiskPartition.Type = 'GPT: System' Or tblDiskPartition.Type =
    'Installable File System') And
  tblRegistry.Regkey Like
  'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State' And
  tblRegistry.Valuename = 'UEFISecureBootEnabled'
Order By tblAssets.AssetName

Active Discussions

Action Setting Computer AD Description Attribute
by  DJSMC   Go to last post Go to first unread
Last post: 10/4/2020 4:46:17 PM(UTC)
Action Open Teams/SfB Chat with user
by  marceman  
Go to last post Go to first unread
Last post: 9/10/2020 4:10:18 PM(UTC)
Lansweeper Report showing app even after it has gone
by  TimHolmes1973   Go to last post Go to first unread
Last post: 9/9/2020 11:50:17 PM(UTC)
Action Remote Device Manager
by  steveb  
Go to last post Go to first unread
Last post: 9/4/2020 9:52:01 PM(UTC)
Action View Windows Defender detections remotely
by  steveb   Go to last post Go to first unread
Last post: 9/4/2020 9:37:48 PM(UTC)
Action Remote Uninstaller
by  steveb  
Go to last post Go to first unread
Last post: 9/4/2020 9:27:17 PM(UTC)
Lansweeper Filter Assets' groups by WinSystemLocale
by  Alex Beaumier   Go to last post Go to first unread
Last post: 8/20/2020 4:17:17 PM(UTC)
Action Chrome History
by  csys  
Go to last post Go to first unread
Last post: 8/14/2020 2:14:21 PM(UTC)