Getting BitLocker status from clients using Hardware Inventory in Configuration Manager 2007

Getting BitLocker status from clients using Hardware Inventory in Configuration Manager 2007

  • Comments 8
  • Likes

ListLet's say that you need to collect the BitLocker Drive Encryption status from the clients in your environment.  You have System Center Configuration Manager 2007 and you're already using Hardware Inventory, but how do you put it all together?  That's what I'll be discussing here.

First are the additions that are required to be made in the SMS_DEF.MOF and the CONFIGURATION.MOF files:

SMS_DEF.MOF:
------------------
[ SMS_Report (TRUE),
SMS_Group_Name ("Bitlocker"),
SMS_Class_ID ("MICROSOFT|Bitlocker|1.0")]

class Bitlocker : SMS_Class_Template
{
[SMS_Report(TRUE), key]
string          DeviceID;
[SMS_Report(TRUE)]
string          DriveLetter;
[SMS_Report(TRUE)]
uint32          ProtectionStatus;
};

CONFIGURATION.MOF:
-----------------------
#pragma namespace("\\\\.\\root\\cimv2")

[Union,ViewSources{"select * from Win32_EncryptableVolume"},ViewSpaces{"\\\\.\\root\\cimv2\\security\\MicrosoftVolumeEncryption"},
Dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Bitlocker
{
    [PropertySources{"DeviceID"},key]
    string          DeviceID;
    [PropertySources{"DriveLetter"}]
    string          DriveLetter;
    [PropertySources{"ProtectionStatus"}]
    uint32          ProtectionStatus;
};

Adding these sections to the respective MOFs and saving them should get things started. Once the clients go through their next policy cycle, they will populate this information into WMI. From here on, whenever the inventory cycle runs the information will be collected in the inventory XML and will get sent to the management point for further processing by the dataloader and added to the database for the respective client.  Once the information is in the database, it can be fetched via custom reports. Alternatively, you can also view this information in the resource explorer for the clients.

Most of the times things will not end at just collecting the information using the MOF edit. There will also be a need to get this information reported.  This is actually pretty simple and here are the steps you'll need to follow to accomplish this:

1. Create a new report and give it a name.

2. Choose the category you want to put it in and then click on Edit SQL Statement.

3. In the SQL Statement box type in the query below:

select sys.Name0, BL.DriveLetter0, BL.ProtectionStatus0 from v_GS_BitLocker BL Join v_r_system sys on sys.ResourceID = BL.ResourceID

Now, there are two things to remember here. One, the name of the table that is being queried for the BitLocker information and second the columns that need to be reported.

The table name will be v_GS_<name of the class in MOF>. For this example, the MOFs I've created above have the class name as BitLocker. This is why we have the view we are querying by the name v_GS_BitLocker.

If more information is desired in reports (which is rarely the case), it can be queried using a select query in SQL against the SCCM database to get all the columns of information which are present in the table.  For example:

select * from v_GS_BitLocker

That's it! Now you're ready to query and report BitLocker information from clients.

Please note that this solution will only work on Windows 7 and Windows Server 2008 R2 clients and newer. Windows Vista and Windows Server 2008 do not have the ProtectionStatus property under the Win32_EncryptableVolume class found in the root\cimv2\security\MicrosoftVolumeEncryption namespace. For this reason BitLocker status cannot be natively queried for using ConfigMgr Hardware Inventory for Windows Vista and Windows Server 2008 clients. Attempting to use the above MOF modifications on a Windows Vista or Windows Server 2008 client will result in the following error in the InventoryAgent.log:

 

Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, DeviceID, DriveLetter, ProtectionStatus FROM Bitlocker; Timeout = 600 secs. InventoryAgent
CCollectionTask::ProcessInstances InventoryAgent
Unknown error encountered processing an instance of class Bitlocker: 80041001 InventoryAgent

 

Please see the following article for more information:

GetProtectionStatus method of the Win32_EncryptableVolume class
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376448(v=vs.85).aspx

 

Vishal Gupta | Microsoft System Center support

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis

clip_image001 clip_image002

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • It works great thanks!

    Do you know how to run this report against a certain collection?

  • A number of SCCM admins have been running a scheduled manage-bde -status script to populate the information into WMI and then pull the information out via sms_def.mof.  One of the benefits of this method was getting additional information (Drive, DriveLabel, Size, BitLocker Version, Conversion_Status, Percentage_encrypted, Encryption_method, Protection_status, Lock_status, Identification_Field; Key_Protectors, Automatic_unlock) then what you are demonstrating here.  Is there anyway to add this type of additional information?

  • @Preston - You can add a where clause along with a prompt to prompt for a collection ID while running the report.

  • @Barker - The above mof edit is used to report only the information which is by default present in the win32_encryptablevolume namespace. The manage-bde calls methods which are a part of this namespace to get the additional information that you mention. You cannot do that using a MOF edit. For that we have to run a client side script to populate that information in a custom class on a regular basis and then report that info.

    The above info is only for simple reporting scenarios where we just want to know whether or not BitLocker encryption is enabled on the drives of the machines in the environment.

  • Great post but I struggle to get status information for the C: drive. Any idea what might be wrong (I've copied and pasted the content for the MOFs)?

  • Add this to the report to only query for the C-drive:

    WHERE DriveLetter0 = 'C:'

  • Hi All Need your help.. I want to generate report for systems which are in BitLocker suspended state.

  • By implementing this change what effect will this have on any XP/ 2008 Server machines that we have in the business that we are currently upgrading on a week by week basis? We have just started to Bitlocker the windows 7 machines in the business - Thanks