Bitlocker Status in Inventory

I'd like to be able to query Vista clients for their Bitlocker status. Does this require modifications of smsdef.mof? Anyone successfully getting Bitlocker status in inventory?
January 29th, 2008 4:37pm

If you can query that information through WMI, then yes you could modify the sms_def.mof to collect it. We don't do it by default, and I don't know that it is available in WMI (though my guess is yes).

Maybe others have already done so and can tell you the modifications that are necessary. I'll see if I can find out.

Free Windows Admin Tool Kit Click here and download it now
January 29th, 2008 4:53pm

I modified sms_def.mof (see below) and now I see the available propoerties of the the win32_encryptablevolume class:

//------------------------------------------------
// Bit Locker
//------------------------------------------------

[SMS_Report(TRUE),
SMS_Group_Name("Bitlocker Info"),
SMS_Class_ID("BITLOCKER"),
namespace ("\\\\\\\\.\\\\root\\\\CIMv2\\\\Security\\\\MicrosoftVolumeEncryption")]
class Win32_EncryptableVolume : SMS_Class_Template
{
[SMS_Report(TRUE), key]
string DeviceID;

[SMS_Report(TRUE)]
string PersistentVolumeID;

[SMS_Report(TRUE)]
string Driveletter;


};

From what I read, if the PersistentVolumeID is null, it is an NTFS unencrypted volume. If encrypted, a value is present. There is a GetProtectionStatus method for this class, but,having no previous experience with WMI and SMS_def.mof, I don't suppose I can use a "method" in sms_def.mof to get a more specific answer to whether the drive is encrypted?

January 29th, 2008 8:46pm

Hello!

I was looking at that exact WMI class earlier today when I first saw your post. I'm glad you found it unassisted!

To answer your question though, no you cannot use WMI methods with the SMS_def.mof. I'm not sure what additional information you require though. Wasn't your initial aim just to see if a volume was encrypted?

Free Windows Admin Tool Kit Click here and download it now
January 30th, 2008 1:03am

Joan,

All you are missing is the "ProtectionStatus" property.  I took your example, added ProtectionStatus and updated my sms_def.mof and now I am getting drive protection status in my ConfigMgr DB.  See http://msdn.microsoft.com/en-us/library/aa376483(v=VS.85).aspx for more info.  Below is my sms_def.mof addition:

 

//------------------------------------------------

// Bit Locker

//------------------------------------------------

 

[SMS_Report(TRUE),

SMS_Group_Name("Bitlocker Info"),

SMS_Class_ID("BITLOCKER"),

namespace ("\\\\\\\\.\\\\root\\\\CIMv2\\\\Security\\\\MicrosoftVolumeEncryption")]

class Win32_EncryptableVolume : SMS_Class_Template

{

[SMS_Report(TRUE), key]

string DeviceID;  

[SMS_Report(TRUE)]

string PersistentVolumeID;

[SMS_Report(TRUE)]

string Driveletter;

[SMS_Report(TRUE)]

uint32 ProtectionStatus;

};

 

Note (from MSDN link above): The status of the volume, whether or not BitLocker is protecting the volume. This value is stored when the class is instantiated. It is possible for the protection status to change state between instantiation and when you check the value. To check the value of the ProtectionStatus property in real time, use the GetProtectionStatus method (not helpful in sms_def.mof since you can't call methods!!)

November 16th, 2010 3:15am

Hi,

Slightly off topic,

Has anyone created a collection that has all systems that have bitlocker enabled and the recovery key is NOT in AD?

I have a script that can add the recovery key to AD but I need to target a collection.

Free Windows Admin Tool Kit Click here and download it now
November 19th, 2010 1:44pm

I'm not very familiar with the AD recovery key, but here's my thought, I don't know if it's possible or not.

If you a) have the Discovery method of "AD System Discovery" enabled, and b) know the AD attribute for the recovery key, then...

in Ad System Discovery, go to the "Active Directory attribute" tab, and add in that new, custom AD attribute.

The next time AD System Discovery runs, that new attribute will be gathered from AD and it will end up in v_r_system.  So you'll be able to create collections based on that attribute in AD.

November 19th, 2010 2:05pm

Hi,

Slightly off topic,

Has anyone created a collection that has all systems that have bitlocker enabled and the recovery key is NOT in AD?

I have a script that can add the recovery key to AD but I need to target a collection.

I understand this question is still off topic, but do you achieved it? I'm looking for information, how to get a report, showing information about it. I can't locate WMI class which can give me a hook to get association with key in AD. Right now I'm able to create a report with information about BitLocler status in SCCM, but I'm unable to say, if this key is present in AD.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2015 2:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics