Full Disk Encryption Visibility

With full disk encryption, all of the data on a disk drive is encoded so that unauthorized parties cannot decipher the data. Full disk encryption reduces the risk of data compromise in cases where a computer is stolen or attackers otherwise gain physical access to the computer.

BitLocker is a full disk encryption method that is included as a feature in Microsoft versions (starting with Microsoft Vista) and that uses AES encryption or XTS encryption with a 128-bit or 256-bit key.

Cybereason Full disk encryption visibility enables you to view a list of endpoints for which BitLocker is disabled. This allows you to identify endpoints that are potentially vulnerable to data compromise or related attacks, and to act accordingly.

Add registry key inclusions

Because of a known issue, if you edit a policy that was created in version 19.1, you must manually add the BitLocker registry key inclusions before you run the query.

For policies created in version 19.2, skip to the Find endpoints that have BitLocker disabled section.

  1. In the System > Policies Management > Create/Edit Policy > Collection features screen, under Add registry key inclusions, click Add New.

  2. In the Key column, type the following key name, and then click the check mark ():

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BitLocker

  3. In the Key column, type the following key name, and then click the check mark ():

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BitLockerSQM

    Note

    Do not modify the Depth and Value columns for either of the keys.

  4. Under Add registry key inclusions, verify that the new keys are displayed in the list of keys.

    Full Disk Encryption - Registry Key Inclusions

Find endpoints that have BitLocker disabled

To detect which endpoints in your system are not using BitLocker:

  1. In the Investigation screen, under My saved queries, click Hunting Query: Disk Encryption - Machines with BitLocker disabled.

    Full Disk Encryption - Query

  2. Click Get Results. The Investigation screen displays a list of endpoints that have BitLocker disabled.

    Full Disk Encryption - Query Results

Note

If the Hunting Query: Disk Encryption - Machines with BitLocker disabled is not visible under My saved queries, construct the following query and click Get Results to view a list of endpoints that have BitLocker disabled.

Registry entry element -> filter for Registry entry name contains SOFTWARE\Microsoft\Windows\CurrentVersion\BitLocker\isBdeDriverPresent OR filter for Value is not 1.