Query Details
MDE TVM Security Controls Bit Locker
Query
# MDE - TVM - Security Configuration - Windows Bitlocker
## Query Information
Use the below query to retrieve Windows Bitlocker configuration compliance
#### References
### Microsoft 365 Defender
```kql
// Security Controls - BitLocker - Compliance Summary
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2093","scid-2091","scid-2090")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
ConfigurationId == "scid-2093", "BitLockerDriveCompat",
ConfigurationId == "scid-2091", "ResumeBitLockerAllDrives",
ConfigurationId == "scid-2090", "EncryptAllSupportedDrives",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription
| sort by ConfigurationSubcategory
// | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant
// | render columnchart with(kind=stacked100)
```
```kql
// Security Controls - BitLocker - Non-Compliance Details
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2093","scid-2091","scid-2090")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
ConfigurationId == "scid-2093", "BitLockerDriveCompat",
ConfigurationId == "scid-2091", "ResumeBitLockerAllDrives",
ConfigurationId == "scid-2090", "EncryptAllSupportedDrives",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| where IsCompliant == 0
| join kind=leftouter DeviceTvmSecureConfigurationAssessmentKB
on $left.ConfigurationId == $right.ConfigurationId
| project DeviceName, ConfigurationName, ConfigurationSubcategory, ConfigurationCategory
| sort by DeviceName, ConfigurationSubcategory, ConfigurationName
```
Explanation
The first query retrieves the compliance status of Windows Bitlocker configuration. It summarizes the compliance status by device, configuration, and device name. It also categorizes the configurations and provides a result (GOOD, BAD, or N/A) based on compliance and applicability. The query then calculates the number of compliant, non-compliant, and not applicable devices for each configuration. It joins the results with additional information from the DeviceTvmSecureConfigurationAssessmentKB table and calculates the total number of devices and the percentage of compliant devices. Finally, it projects and sorts the results by configuration subcategory.
The second query retrieves the details of non-compliant devices for the same Bitlocker configurations. It joins the results with additional information from the DeviceTvmSecureConfigurationAssessmentKB table and projects the device name, configuration name, configuration subcategory, and configuration category. The results are sorted by device name and configuration subcategory.
Details
Alex Verboon
Released: September 19, 2023
Tables
Keywords
Operators