Sophos XDR: How to Run Query Bitlocker Information on Endpoint.


Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.

Customers get 30 days of cloud storage in the Sophos Data Lake, in addition to up to 90 days of data that is stored directly on the device for real-time and historical searches. So even if a device is offline you can still access its critical data to investigate suspicious activity.


The article will guide you how to custom query Bitlocker information after deploying Sophos Device Encryption on Endpoints.


Step 1: Custom Query Bitlocker Info.

With Sophos XDR, there is already a query about bitlocker info available for you to query, but you can still customize this query to get more detailed information.

To learn more about new queries you can join the following forum:

Login Sophos Central Admin > Threat Analysis Center > Live Discover > EndpointQueries.

Here you can see the queries built-in by Sophos, with query category such as Device, Network, etc. You just need to select the query type, select the endpoint will be query and check the returned results.

To custom query, select Enable Designer Mode > Create new query.

Next, fill in the following information:

  • Query Name: Name the query
  • Category: Select the query category
  • Enter in the description if you want.

Scroll down and select Live Endpoint > Windows.

SQL: You enter the query code for get bitlocker information.

SQL code:

SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id,
   CASE conversion_status
      WHEN 1 THEN ‘Fully Encrypted’
      WHEN 2 THEN ‘Encryption In Progress’
      WHEN 3 THEN ‘Decryption In Progress’
      WHEN 4 THEN ‘Encryption Paused’
      WHEN 5 THEN ‘Decryption Paused’
      ELSE ‘Fully Decrypted’
   END conversion_status,
   CASE protection_status
      WHEN 0 THEN ‘Protection Off’
      WHEN 1 THEN ‘Protection On’
      ELSE ‘Unknown’
   END protection_status,
   CASE lock_status
      WHEN 0 THEN ‘Unlocked’
      WHEN 1 THEN ‘Locked’
   END lock_status
FROM bitlocker_info;

Step 2: Select Endpoint Query

Next, you select the Endpoints will be query or select all endpoints. Then click Run Query.

Continue click Run Query.

You wait for the Query to finish running on the Endpoint with the status “Finish – OK”.

Step 3: Check the results.

The results table shows which drives are on the endpoints.

and Protection _status is OFF, which means that this endpoint has not installed Sophos Device Encryption. And Protection _status is ON, the endpoint has installed Sophos Device Encryption with Full Encrypted C drive.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.