Getting BitLocker status from clients using Hardware Inventory in Configuration Manager 2007

ListLet’s say that you need to collect the BitLocker Drive Encryption status from the clients in your environment.  You have System Center Configuration Manager 2007 and you’re already using Hardware Inventory, but how do you put it all together?  That’s what I’ll be discussing here.

First are the additions that are required to be made in the SMS_DEF.MOF and the CONFIGURATION.MOF files:

[ SMS_Report (TRUE),
SMS_Group_Name (“Bitlocker”),
SMS_Class_ID (“MICROSOFT|Bitlocker|1.0”)]

class Bitlocker : SMS_Class_Template
[SMS_Report(TRUE), key]
string          DeviceID;
string          DriveLetter;
uint32          ProtectionStatus;

#pragma namespace(“\\\\.\\root\\cimv2”)

[Union,ViewSources{“select * from Win32_EncryptableVolume”},ViewSpaces{“\\\\.\\root\\cimv2\\security\\MicrosoftVolumeEncryption”},
class Bitlocker
    string          DeviceID;
    string          DriveLetter;
    uint32          ProtectionStatus;

Adding these sections to the respective MOFs and saving them should get things started. Once the clients go through their next policy cycle, they will populate this information into WMI. From here on, whenever the inventory cycle runs the information will be collected in the inventory XML and will get sent to the management point for further processing by the dataloader and added to the database for the respective client.  Once the information is in the database, it can be fetched via custom reports. Alternatively, you can also view this information in the resource explorer for the clients.

Most of the times things will not end at just collecting the information using the MOF edit. There will also be a need to get this information reported.  This is actually pretty simple and here are the steps you’ll need to follow to accomplish this:

1. Create a new report and give it a name.

2. Choose the category you want to put it in and then click on Edit SQL Statement.

3. In the SQL Statement box type in the query below:

select sys.Name0, BL.DriveLetter0, BL.ProtectionStatus0 from v_GS_BitLocker BL Join v_r_system sys on sys.ResourceID = BL.ResourceID

Now, there are two things to remember here. One, the name of the table that is being queried for the BitLocker information and second the columns that need to be reported.

The table name will be v_GS_<name of the class in MOF>. For this example, the MOFs I’ve created above have the class name as BitLocker. This is why we have the view we are querying by the name v_GS_BitLocker.

If more information is desired in reports (which is rarely the case), it can be queried using a select query in SQL against the SCCM database to get all the columns of information which are present in the table.  For example:

select * from v_GS_BitLocker

That’s it! Now you’re ready to query and report BitLocker information from clients.

Please note that this solution will only work on Windows 7 and Windows Server 2008 R2 clients and newer. Windows Vista and Windows Server 2008 do not have the ProtectionStatus property under the Win32_EncryptableVolume class found in the root\cimv2\security\MicrosoftVolumeEncryption namespace. For this reason BitLocker status cannot be natively queried for using ConfigMgr Hardware Inventory for Windows Vista and Windows Server 2008 clients. Attempting to use the above MOF modifications on a Windows Vista or Windows Server 2008 client will result in the following error in the InventoryAgent.log:


Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, DeviceID, DriveLetter, ProtectionStatus FROM Bitlocker; Timeout = 600 secs. InventoryAgent
CCollectionTask::ProcessInstances InventoryAgent
Unknown error encountered processing an instance of class Bitlocker: 80041001 InventoryAgent


Please see the following article for more information:

GetProtectionStatus method of the Win32_EncryptableVolume class


Vishal Gupta | Microsoft System Center support

The App-V Team blog:
The WSUS Support Team blog:
The SCMDM Support Team blog:
The ConfigMgr Support Team blog:
The SCOM 2007 Support Team blog:
The SCVMM Team blog:
The MED-V Team blog:
The DPM Team blog:
The OOB Support Team blog:
The Opalis Team blog:

clip_image001 clip_image002