HOWTO: Bitlocker Status Reporting in SCCM 2007
Posted by dvanderuit in Configuration Manager, System Center, Windows 7, tags: BitlockerI recently had to come up with a solution that will enable administrators to build reports for client’s bitlocker status. To do so i found a few articles on the web that pointed me in the right direction, however i didn’t found a complete howto for it so that’s a good reason for me to post a complete one.
To enable bitlocker status reporting in a centralised management environment with SCCM you need to follow some steps because bitlocker is not integrated that far (yet??) in the Windows OS. First, let’s first take a look at the status information that bitlocker provides:
- Volume name, example: C: [OSDisk]
- Disk size, example: 148,75 GB
- BitLocker Version, example: Windows 7
- Conversion Status, example: Fully Encrypted
- Percentage Encrypted, example: 100%
- Encryption Method, example: AES 128 with Diffuser
- Protection Status, example: Protection On
- Lock Status, example: Unlocked
- Identification Field, example: None
- Key Protectors (Note: multivalue), example: TPM, Numerical Password
You can check the above on clients using the commandline tool manage-bde.exe -status on Windows 7 clients. For Vista clients use cscript manage-bde.wsf -status.
Step 1. Modify and deploy SMS_DEF.MOF
We want bitlocker status information to be inventoried to SCCM. A proper way of doing that would be to add the bitlocker class to the SMS_DEF.MOF file on the management point (found in %SCCMinstallpath%\inboxes\clifiles.src\hinv). Make a copy of this file and edit with your favorite app. Add the following lines at the end of the file:
#pragma deleteclass(“SCCM_BitLocker”,NOFAIL)
[edit] Make sure to replace any fancy double quotes with normal quotes after copying because otherwise compiling or parsing will fail. Or download this file: bitlocker_mof.
You should check the file for errors with mofcomp.exe -check SMS_DEF.MOF. To enable the MOF file on a single client run the following command on the client mofcomp -class:forceupdate %pathtofile%\SMS_DEF.MOF. Copy the edited file back to enable it on your ConfigMgr site.
Step 2. Install Bitlocker
Create and link a GPO to apply on the bitlocker clients that contain the following settings (or similair based on your own requirements):
| Machine | Administrative Templates | System | Trusted Platform Module Services | |
| Turn on TPM backup to Active Directory Domain Services | Enabled |
| Machine | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating Sytem Drives | |
| Choose how BitLocker-protected operating system drives can be recovered | Enabled |
| Allow data recovery agent | Disabled |
| Configure user storage of BitLocker recovery information: | Require 48-digit recovery passwordAllow 256-bit recovery key |
| Omit recovery options from the BitLocker setup wizard | Enabled |
| Save BitLocker recovery information to AD DS for operating system drives | Enabled |
| Configure storage of BitLocker recovery information to AD DS: | Store recovery passwords and key packages |
| Do not enable BitLocker until recovery information is stored to AD DS for operating system drives | Disabled |
Enter the BIOS on your client or use tools like the Dell client configuration utility to turn on TPM, clear the TPM and activate it. After doing this enable bitlocker encryption on the machine. You can use any method to achive this.
Step 3. Add Bitlocker status to WMI & run hw inventory
Although there are multiple ways of manipulating bitlocker through WMI you still need a script to read, update and store bitlocker status information in the WMI repository (see http://msdn.microsoft.com/en-us/library/aa376409.aspx). This is because Managed Object Format (MOF) files are not installed as part of the Windows SDK and therefore the included classes are not added to the WMI repository automatically by Windows itself.
[update: A handy colleague wrote a powershell version of the script for adding the bitlocker status into WMI with some nice enhancements. All credits go to Daniel Last.]
The scripts (use only one):
- VBS version: UpdateBitlockerStatus.vbs
- Powershell verion: Bitlocker_Status.ps1 Bitlocker_Status_v1.1.ps1 [update]
Run the script and after that initiate a hardware inventory on the client. Note that the powershell version of the script already triggers a hardware inventory. Additionally, the powershell script need to be run with the powershell execution policy to be set to RemoteSigned. Do this using the following cmdlet: Set-ExecutionPolicy RemoteSigned
[edit] You could trigger the inventory in the vbscript by adding this line: WshShell.Run “WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule “&Chr(34) & “{00000000-0000-0000-0000-000000000001}” & Chr(34) & ” /NOINTERACTIVE”,,true
After a while you will find 2 new tables and 1 new view in the SCCM site database:
Step 4. Create the Report
I created a report in SCCM with the following query:
SELECT v_R_System.Name0 AS Computername, v_GS_SCCM_BitLocker0.Bitlocker_Status0 AS [Bitlocker Status],
v_GS_SCCM_BitLocker0.BitLocker_Version0 AS [Bitlocker Versie], v_GS_SCCM_BitLocker0.Conversion_Status0 AS [Converstion Status],
v_GS_SCCM_BitLocker0.Drive0 AS Drive, v_GS_SCCM_BitLocker0.DriveLabel0 AS DriveLabel, v_GS_SCCM_BitLocker0.Encryption_Method0 AS [Encryption Method],
v_GS_SCCM_BitLocker0.Identification_Field0 AS [Identification Field], v_GS_SCCM_BitLocker0.Key_Protectors0 AS [Key Protectors],
v_GS_SCCM_BitLocker0.Percentage_Encrypted0 AS [Percentage Encrypted], v_GS_SCCM_BitLocker0.Protection_Status0 AS [Protection Status],
v_GS_SCCM_BitLocker0.ScriptLastRun0 AS [Script Last Run]
FROM v_GS_SCCM_BitLocker0 INNER JOIN
v_R_System ON v_GS_SCCM_BitLocker0.ResourceID = v_R_System.ResourceID
And there it is, the Bitlocker report (note: old screenshot based another query but more or less similar):
Tested on SCCM R2 with a Windows 7 Enterprise bitlocker client.
Feel free to comment on this post.
Regards,
Douwe van de Ruit
Entries (RSS)
Hi when I run the sql report you provided us, I get this error:
An error occurred when the report was run. The details are as follows:
Invalid object name ‘v_GS_SCCM_BitLocker0′.
Error Number: -2147217865
Source: Microsoft OLE DB Provider for SQL Server
Native Error: 208
Burberry Purses…
[...]Innovative Technology Weblog » HOWTO: Bitlocker Status Reporting in SCCM 2007[...]…
I like watching TV Preteen Incest
69491
What’s the last date I can post this to to arrive in time for Christmas? Teens In Modeling
8DD
Magnificent website. A lot of helpful information here. I am sending it to some friends ans additionally sharing in delicious. And of course, thank you to your effort!
0
I need some help ASAP on this…bc something im doing is not working correctly. here are the steps I have done.
1 – this is part of my SMS_Def.mof for bitlocker:
//————————————————
// OS Deployment – Bit Locker
//————————————————
[ SMS_Report (TRUE),
SMS_Group_Name ("SCCM_BitLocker"),
SMS_Class_ID ("CUSTOM|SCCM_BitLocker|1.0") ]
class SCCM_BitLocker : SMS_Class_Template
{
[SMS_Report (TRUE), key ]
string Drive;
[SMS_Report (TRUE)]
string DriveLabel;
[SMS_Report (TRUE)]
string Size;
[SMS_Report (TRUE)]
string BitLocker_Version;
[SMS_Report (TRUE)]
string Conversion_Status;
[SMS_Report (TRUE)]
string Percentage_Encrypted;
[SMS_Report (TRUE)]
string Encryption_Method;
[SMS_Report (TRUE)]
string Protection_Status;
[SMS_Report (TRUE)]
string Lock_Status;
[SMS_Report (TRUE)]
string Identification_Field;
[SMS_Report (TRUE)]
string Key_Protectors;
[SMS_Report (TRUE)]
string ScriptLastRun;
};
2 – I placed this on the server side and enabled it by running the mofcomp -class:forceupdate sms_def.mof
3- I also placed this MOF file on my client machine and ran the same command.
4- After running the MOF Command on my client machine, i initiated “machine policy retriebal & evalucation cycle”
5- I ran the VBS Script from the web; which reads as follow:
Set WshShell = CreateObject(“Wscript.Shell”)
on error resume next
dim strObjects(26,12)
‘————————–
‘Run the Manage-bde.wsf, and put all the information into oExec to pull out later
‘————————–
Set oExec = WshShell.Exec(“cscript //Nologo c:\windows\system32\manage-bde.wsf -status”)
drive = “”
drivename = “”
i = 0
Do While Not oExec.StdOut.AtEndOfStream
‘——————-
‘For each line returned from oExec, check what’s in it, and add to an array
‘——————-
line = oExec.StdOut.Readline()
if ucase(left(line,6)) = “VOLUME” then
if drive “” then
targetmif.writeline(” End Group”)
end if
i = i + 1
drive = mid(line,8,2)
line = oExec.StdOut.Readline()
drivename = line
line = “”
strObjects(i,0) = drive
strObjects(i,1) = drivename
strObjects(i,12) = Now
end if
if drive “” and trim(line) “” then
parts = split(line,”:”)
Select Case replace(trim(parts(0)),” “,”_”)
Case “Size”
strobjects(i,2) = trim(parts(1))
Case “BitLocker_Version”
strobjects(i,3) = trim(parts(1))
Case “Conversion_Status”
strobjects(i,4) = trim(parts(1))
Case “Percentage_Encrypted”
strObjects(i,5) = trim(parts(1))
Case “Encryption_Method”
strObjects(i,6) = trim(parts(1))
Case “Protection_Status”
strObjects(i,7) = trim(parts(1))
Case “Lock_Status”
strObjects(i,8) = trim(parts(1))
Case “Identification_Field”
strObjects(i,9) = trim(parts(1))
Case “Key_Protectors”
strObjects(i,10) = trim(parts(1))
Case “Automatic_Unlock”
strObjects(i,11) = trim(parts(1))
end select
end if
loop
‘——————
‘Create the WMI Namespace
‘——————
Dim wbemCimtypeSint16
Dim wbemCimtypeSint32
Dim wbemCimtypeReal32
Dim wbemCimtypeReal64
Dim wbemCimtypeString
Dim wbemCimtypeBoolean
Dim wbemCimtypeObject
Dim wbemCimtypeSint8
Dim wbemCimtypeUint8
Dim wbemCimtypeUint16
Dim wbemCimtypeUint32
Dim wbemCimtypeSint64
Dim wbemCimtypeUint64
Dim wbemCimtypeDateTime
Dim wbemCimtypeReference
Dim wbemCimtypeChar16
wbemCimtypeSint16 = 2
wbemCimtypeSint32 = 3
wbemCimtypeReal32 = 4
wbemCimtypeReal64 = 5
wbemCimtypeString = 8
wbemCimtypeBoolean = 11
wbemCimtypeObject = 13
wbemCimtypeSint8 = 16
wbemCimtypeUint8 = 17
wbemCimtypeUint16 = 18
wbemCimtypeUint32 = 19
wbemCimtypeSint64 = 20
wbemCimtypeUint64 = 21
wbemCimtypeDateTime = 101
wbemCimtypeReference = 102
wbemCimtypeChar16 = 103
Set oLocation = CreateObject(“WbemScripting.SWbemLocator”)
‘Remove classes
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
Set oServices = oLocation.ConnectServer(, “root\cimv2\SMS”)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
‘Create data class structure
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
Set oDataObject = oServices.Get
oDataObject.Path_.Class = “SCCM_BitLocker”
oDataObject.Properties_.add “Drive”, wbemCimtypeString
oDataObject.Properties_.add “DriveLabel”, wbemCimtypeString
oDataObject.Properties_.add “Size”, wbemCimtypeString
oDataObject.Properties_.add “BitLocker_Version”, wbemCimtypeString
oDataObject.Properties_.add “Conversion_Status”, wbemCimtypeString
oDataObject.Properties_.add “Percentage_Encrypted”, wbemCimtypeString
oDataObject.Properties_.add “Encryption_Method”, wbemCimtypeString
oDataObject.Properties_.add “Protection_Status”, wbemCimtypeString
oDataObject.Properties_.add “Lock_Status”, wbemCimtypeString
oDataObject.Properties_.add “Identification_Field”, wbemCimtypeString
oDataObject.Properties_.add “Automatic_Unlock”, wbemCimtypeString
oDataObject.Properties_.add “Key_Protectors”, wbemCimtypeString
oDataObject.Properties_.add “ScriptLastRan”, wbemCimtypeString
oDataObject.Properties_(“Drive”).Qualifiers_.add “key”, True
oDataObject.Put_
‘——————————
‘Add Instances to data class
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
For j=1 To i
Set oNewObject = oServices.Get(“SCCM_BitLocker”).SpawnInstance_
oNewObject.Drive = strObjects(j,0)
oNewObject.DriveLabel = strObjects(j,1)
oNewObject.Size = strObjects(j,2)
oNewObject.BitLocker_Version = strObjects(j,3)
oNewObject.Conversion_Status = strObjects(j,4)
oNewObject.Percentage_Encrypted = strObjects(j,5)
oNewObject.Encryption_Method = strObjects(j,6)
oNewObject.Protection_Status = strObjects(j,7)
oNewObject.Lock_Status = strObjects(j,8)
oNewObject.Identification_Field = strObjects(j,9)
oNewObject.Key_Protectors = strObjects(j,10)
oNewObject.Automatic_Unlock = strObjects(j,11)
oNewObject.ScriptLastRan = strObjects(j,12)
oNewObject.Put_
‘Uncomment the following lines to for troubleshooting interactively
‘ WScript.Echo strObjects(j,0) & “, ” &_
‘ strObjects(j,1) & “, ” &_
‘ strObjects(j,2) & “, ” &_
‘ strObjects(j,3) & “, ” &_
‘ strObjects(j,4) & “, ” &_
‘ strObjects(j,5) & “, ” &_
‘ strObjects(j,6) & “, ” &_
‘ strObjects(j,7) & “, ” &_
‘ strObjects(j,8) & “, ” &_
‘ strObjects(j,9) & “, ” &_
‘ strObjects(j,10) & “, ” &_
‘ strObjects(j,11) & “, ” &_
‘ strObjects(j,12)
Next
6-I then made SCCM run an inverntory instead of waiting for it to do it a day later.
Issues:
The issue im having is that after doing all of this, Im still not seeing the DBs that it should create. What am i missing or what am i doing wrong. please send me some steps to have this corrected. thanks again.
Please help!!!
I need some help ASAP on this…bc something im doing is not working correctly. here are the steps I have done.
1 – this is part of my SMS_Def.mof for bitlocker:
//————————————————
// OS Deployment – Bit Locker
//————————————————
[ SMS_Report (TRUE),
SMS_Group_Name (\
Discount Office 2010 Product Key…
[...]Innovative Technology Weblog » HOWTO: Bitlocker Status Reporting in SCCM 2007[...]…
Report should be
SELECT v_R_System.Name0 AS [Computername], v_GS_SCCM_BitLocker0.BitLocker_Version0 AS [Bitlocker Version], v_GS_SCCM_BitLocker0.Conversion_Status0 AS [Converstion Status], v_GS_SCCM_BitLocker0.Drive0 AS [Drive], v_GS_SCCM_BitLocker0.DriveLabel0 AS [DriveLabel],
v_GS_SCCM_BitLocker0.Size0 AS [Size],
v_GS_SCCM_BitLocker0.Encryption_Method0 AS [Encryption Method], v_GS_SCCM_BitLocker0.Identification_Field0 AS [Identification Field], v_GS_SCCM_BitLocker0.Key_Protectors0 AS [Key Protectors],
v_GS_SCCM_BitLocker0.Lock_Status0 AS [Lock Status],
v_GS_SCCM_BitLocker0.Percentage_Encrypted0 AS [Percentage Encrypted], v_GS_SCCM_BitLocker0.Protection_Status0 AS [Protection Status], v_GS_SCCM_BitLocker0.ScriptLastRan0 AS [Script Last Run] FROM v_GS_SCCM_BitLocker0 INNER JOIN v_R_System ON v_GS_SCCM_BitLocker0.ResourceID = v_R_System.ResourceID
The information here is very good but when I ran the two scripts I has issues with them. The VB script uses ScriptLastRan and the PS uses ScriptLastRun which is in the bitlocker.mof also. The inclusion of the Automatic_Unlock attribute in the VB script is not needed nor in the mof file either unless you want to find USB or non C: drives that are encrypted or encryptable. It is not in the PS script as an attribute as well. It really only shows for removable drives on your system. The issue will cause the script to run and populate the WMI class but the SCCM hardware inventory will fail if the Automatic_Unlock attribute is in the MOF or if the ScriptLastRan is not changed to ScriptLastRun. Once you get SCCM inventory to pull in a record it will create the tables using the MOF attributes. The VB script as downloaded does not pick up the Key_Protectors, could be SP1 issue on Win7. I enhanced the VB script to catch the attributes and to work with non TPM enabled systems, picks the error up and fills fields with “Disabled” except for time stamp.
Set WshShell = CreateObject(“Wscript.Shell”)
‘ this error resume stops issues with the class not existing and erroring script
on error resume next
dim strObjects(26,12) , Noenable
Dim wbemCimtypeSint16
Dim wbemCimtypeSint32
Dim wbemCimtypeReal32
Dim wbemCimtypeReal64
Dim wbemCimtypeString
Dim wbemCimtypeBoolean
Dim wbemCimtypeObject
Dim wbemCimtypeSint8
Dim wbemCimtypeUint8
Dim wbemCimtypeUint16
Dim wbemCimtypeUint32
Dim wbemCimtypeSint64
Dim wbemCimtypeUint64
Dim wbemCimtypeDateTime
Dim wbemCimtypeReference
Dim wbemCimtypeChar16
wbemCimtypeSint16 = 2
wbemCimtypeSint32 = 3
wbemCimtypeReal32 = 4
wbemCimtypeReal64 = 5
wbemCimtypeString = 8
wbemCimtypeBoolean = 11
wbemCimtypeObject = 13
wbemCimtypeSint8 = 16
wbemCimtypeUint8 = 17
wbemCimtypeUint16 = 18
wbemCimtypeUint32 = 19
wbemCimtypeSint64 = 20
wbemCimtypeUint64 = 21
wbemCimtypeDateTime = 101
wbemCimtypeReference = 102
wbemCimtypeChar16 = 103
‘————————–
‘Run the Manage-bde.wsf, and put all the information into oExec to pull out later
‘————————–
Set oExec = WshShell.Exec(“cscript //Nologo c:\windows\system32\manage-bde.wsf -status”)
drive = “”
drivename = “”
Bitlocker_Status = “Disabled”
i = 0
Do While Not oExec.StdOut.AtEndOfStream
‘——————-
‘For each line returned from oExec, check what’s in it, and add to an array
‘——————-
line = oExec.StdOut.Readline()
if ucase(left(line,5)) = “ERROR” then
Noenable = “True”
‘ WScript.Echo ucase(left(line,5))
‘ WScript.Echo “1″
Set oLocation = CreateObject(“WbemScripting.SWbemLocator”)
‘ WScript.Echo “2″
‘Remove classes
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
‘WScript.Echo “3.1″
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
‘WScript.Echo “3″
Set oServices = oLocation.ConnectServer(, “root\cimv2\SMS”)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
‘WScript.Echo “4″
‘Create data class structure
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
Set oDataObject = oServices.Get
oDataObject.Path_.Class = “SCCM_BitLocker”
oDataObject.Properties_.add “Drive”, wbemCimtypeString
oDataObject.Properties_.add “DriveLabel”, wbemCimtypeString
oDataObject.Properties_.add “Size”, wbemCimtypeString
oDataObject.Properties_.add “BitLocker_Version”, wbemCimtypeString
oDataObject.Properties_.add “Conversion_Status”, wbemCimtypeString
oDataObject.Properties_.add “Percentage_Encrypted”, wbemCimtypeString
oDataObject.Properties_.add “Encryption_Method”, wbemCimtypeString
oDataObject.Properties_.add “Protection_Status”, wbemCimtypeString
oDataObject.Properties_.add “Lock_Status”, wbemCimtypeString
oDataObject.Properties_.add “Identification_Field”, wbemCimtypeString
oDataObject.Properties_.add “Bitlocker_Status”, wbemCimtypeString
oDataObject.Properties_.add “Key_Protectors”, wbemCimtypeString
oDataObject.Properties_.add “ScriptLastRun”, wbemCimtypeString
oDataObject.Properties_(“Bitlocker_Status”).Qualifiers_.add “key”, True
oDataObject.Put_
‘ WScript.Echo “5″
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
‘ WScript.Echo “6″
Set oNewObject = oServices.Get(“SCCM_BitLocker”).SpawnInstance_
oNewObject.Drive = “Disabled”
oNewObject.DriveLabel = “Disabled”
oNewObject.Size = “Disabled”
oNewObject.BitLocker_Version = “Disabled”
oNewObject.Conversion_Status = “Disabled”
oNewObject.Percentage_Encrypted = “Disabled”
oNewObject.Encryption_Method = “Disabled”
oNewObject.Protection_Status = “Disabled”
oNewObject.Lock_Status = “Disabled”
oNewObject.Identification_Field = “Disabled”
oNewObject.Key_Protectors = “Disabled”
oNewObject.Bitlocker_Status = “Disabled”
oNewObject.ScriptLastRun = Now
oNewObject.Put_
‘ WScript.Echo “7″
Exit DO
‘ WScript.Echo “8″
Else
if ucase(left(line,6)) = “VOLUME” then
if drive “” then
targetmif.writeline(” End Group”)
end if
i = i + 1
drive = mid(line,8,2)
‘ line = oExec.StdOut.Readline()
drivename = mid(line,12,len(line)-12)
line = “”
strObjects(i,0) = drive
strObjects(i,1) = drivename
strObjects(i,11) = Now
if drive = “C:” Then
Bitlocker_Status = “Enabled”
strObjects(i,12) = Bitlocker_Status
Else
strObjects(i,12) = Bitlocker_Status
end if
end if
End if
if drive “” and trim(line) “” then
parts = split(line,”:”)
Select Case replace(trim(parts(0)),” “,”_”)
Case “Size”
strobjects(i,2) = trim(parts(1))
‘ WScript.Echo len(parts(1))
‘ WScript.Echo parts(1)
‘ WScript.Echo strobjects(i,2)
‘ WScript.Echo len(strobjects(i,2))
Case “BitLocker_Version”
strobjects(i,3) = trim(parts(1))
Case “Conversion_Status”
strobjects(i,4) = trim(parts(1))
Case “Percentage_Encrypted”
strObjects(i,5) = trim(parts(1))
Case “Encryption_Method”
strObjects(i,6) = trim(parts(1))
Case “Protection_Status”
strObjects(i,7) = trim(parts(1))
Case “Lock_Status”
strObjects(i,8) = trim(parts(1))
Case “Identification_Field”
strObjects(i,9) = trim(parts(1))
Case “Key_Protectors”
‘ WScript.Echo line
‘ WScript.Echo parts(1)
‘ WScript.Echo len(line)
If len(line) = 26 then
line = oExec.StdOut.Readline()
‘ WScript.Echo line
j=1
Do While trim(line) “”
If j=1 then
strObjects(i,10) = trim(line)
j=j+1
Else
strObjects(i,10) = trim(line) + “, ” + strObjects(i,10)
end if
line = oExec.StdOut.Readline()
‘ WScript.Echo strObjects(i,10)
‘ WScript.Echo (i)
loop
else
strObjects(i,10) = trim(parts(1))
end if
‘ Case “Automatic_Unlock”
‘ strObjects(i,11) = trim(parts(1))
end select
end if
loop
If Noenable “True” Then
‘——————
‘Create the WMI Namespace
‘——————
Set oLocation = CreateObject(“WbemScripting.SWbemLocator”)
‘Remove classes
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
Set oServices = oLocation.ConnectServer(, “root\cimv2\SMS”)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
‘Create data class structure
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
Set oDataObject = oServices.Get
oDataObject.Path_.Class = “SCCM_BitLocker”
oDataObject.Properties_.add “Drive”, wbemCimtypeString
oDataObject.Properties_.add “DriveLabel”, wbemCimtypeString
oDataObject.Properties_.add “Size”, wbemCimtypeString
oDataObject.Properties_.add “BitLocker_Version”, wbemCimtypeString
oDataObject.Properties_.add “Conversion_Status”, wbemCimtypeString
oDataObject.Properties_.add “Percentage_Encrypted”, wbemCimtypeString
oDataObject.Properties_.add “Encryption_Method”, wbemCimtypeString
oDataObject.Properties_.add “Protection_Status”, wbemCimtypeString
oDataObject.Properties_.add “Lock_Status”, wbemCimtypeString
oDataObject.Properties_.add “Identification_Field”, wbemCimtypeString
oDataObject.Properties_.add “Bitlocker_Status”, wbemCimtypeString
oDataObject.Properties_.add “Key_Protectors”, wbemCimtypeString
oDataObject.Properties_.add “ScriptLastRun”, wbemCimtypeString
oDataObject.Properties_(“Drive”).Qualifiers_.add “key”, True
oDataObject.Put_
‘——————————
‘Add Instances to data class
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
For j=1 To i
Set oNewObject = oServices.Get(“SCCM_BitLocker”).SpawnInstance_
oNewObject.Drive = strObjects(j,0)
oNewObject.DriveLabel = strObjects(j,1)
oNewObject.Size = strObjects(j,2)
oNewObject.BitLocker_Version = strObjects(j,3)
oNewObject.Conversion_Status = strObjects(j,4)
oNewObject.Percentage_Encrypted = strObjects(j,5)
oNewObject.Encryption_Method = strObjects(j,6)
oNewObject.Protection_Status = strObjects(j,7)
oNewObject.Lock_Status = strObjects(j,8)
oNewObject.Identification_Field = strObjects(j,9)
oNewObject.Key_Protectors = strObjects(j,10)
oNewObject.Bitlocker_Status = strObjects(j,12)
oNewObject.ScriptLastRun = strObjects(j,11)
oNewObject.Put_
‘Uncomment the following lines to for troubleshooting interactively
‘WScript.Echo strObjects(j,0) & “, ” &_
‘ strObjects(j,1) & “, ” &_
‘ strObjects(j,2) & “, ” &_
‘ strObjects(j,3) & “, ” &_
‘ strObjects(j,4) & “, ” &_
‘ strObjects(j,5) & “, ” &_
‘ strObjects(j,6) & “, ” &_
‘ strObjects(j,7) & “, ” &_
‘ strObjects(j,8) & “, ” &_
‘ strObjects(j,9) & “, ” &_
‘ strObjects(j,10) & “, ” &_
‘ strObjects(j,11) & “, ” &_
‘ strObjects(j,12)
Next
Else
End If
Hope this helps. Check attribute names in scripts and number of attributes in mof and the issues will go away (no errors in WMI query in the hardware inventory). You can also use the \root\cimvs\security\microsofttpm wmi namespace with the win32_tpm class to get status and even turn on/off TPM in the bios.
Hi BPODFW
Your changes are exactly what I have found too (and have been putting up with in regards to disabled TPM).
Do you have a complete copy of your updated script rather than just the changes?
What about in PowerShell – I don’t suppose anyone has created a new master PS script with the changes that BPODFW has kindly done?
Regards
Sorry BPODFW, I realise now that your script IS the entire script, however the format on this web page converts characters incorrectly (e.g. ‘ instead of ‘) and I can’t run the script without errors (even when replacing the illegal characters). It also appears to be missing characters in some areas that the original script had?
Do you have a complete script that you can share rather than as text on this web page?
Thanks
Set WshShell = CreateObject(“Wscript.Shell”)
‘—– this error resume stops issues with the class not existing and erroring script
on error resume next
dim strObjects(26,12) , Noenable
Dim wbemCimtypeSint16
Dim wbemCimtypeSint32
Dim wbemCimtypeReal32
Dim wbemCimtypeReal64
Dim wbemCimtypeString
Dim wbemCimtypeBoolean
Dim wbemCimtypeObject
Dim wbemCimtypeSint8
Dim wbemCimtypeUint8
Dim wbemCimtypeUint16
Dim wbemCimtypeUint32
Dim wbemCimtypeSint64
Dim wbemCimtypeUint64
Dim wbemCimtypeDateTime
Dim wbemCimtypeReference
Dim wbemCimtypeChar16
wbemCimtypeSint16 = 2
wbemCimtypeSint32 = 3
wbemCimtypeReal32 = 4
wbemCimtypeReal64 = 5
wbemCimtypeString = 8
wbemCimtypeBoolean = 11
wbemCimtypeObject = 13
wbemCimtypeSint8 = 16
wbemCimtypeUint8 = 17
wbemCimtypeUint16 = 18
wbemCimtypeUint32 = 19
wbemCimtypeSint64 = 20
wbemCimtypeUint64 = 21
wbemCimtypeDateTime = 101
wbemCimtypeReference = 102
wbemCimtypeChar16 = 103
‘————————–
‘Run the Manage-bde.wsf, and put all the information into oExec to pull out later
‘————————–
Set oExec = WshShell.Exec(“cscript //Nologo c:\windows\system32\manage-bde.wsf -status”)
drive = “”
drivename = “”
Bitlocker_Status = “Disabled”
i = 0
Do While Not oExec.StdOut.AtEndOfStream
‘——————-
‘For each line returned from oExec, check what’s in it, and add to an array
‘——————-
line = oExec.StdOut.Readline()
if ucase(left(line,5)) = “ERROR” then
Noenable = “True”
Set oLocation = CreateObject(“WbemScripting.SWbemLocator”)
‘——Remove classes
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
Set oServices = oLocation.ConnectServer(, “root\cimv2\SMS”)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
‘—–Create data class structure
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
Set oDataObject = oServices.Get
oDataObject.Path_.Class = “SCCM_BitLocker”
oDataObject.Properties_.add “Drive”, wbemCimtypeString
oDataObject.Properties_.add “DriveLabel”, wbemCimtypeString
oDataObject.Properties_.add “Size”, wbemCimtypeString
oDataObject.Properties_.add “BitLocker_Version”, wbemCimtypeString
oDataObject.Properties_.add “Conversion_Status”, wbemCimtypeString
oDataObject.Properties_.add “Percentage_Encrypted”, wbemCimtypeString
oDataObject.Properties_.add “Encryption_Method”, wbemCimtypeString
oDataObject.Properties_.add “Protection_Status”, wbemCimtypeString
oDataObject.Properties_.add “Lock_Status”, wbemCimtypeString
oDataObject.Properties_.add “Identification_Field”, wbemCimtypeString
oDataObject.Properties_.add “Bitlocker_Status”, wbemCimtypeString
oDataObject.Properties_.add “Key_Protectors”, wbemCimtypeString
oDataObject.Properties_.add “ScriptLastRun”, wbemCimtypeString
oDataObject.Properties_(“Bitlocker_Status”).Qualifiers_.add “key”, True
oDataObject.Put_
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
Set oNewObject = oServices.Get(“SCCM_BitLocker”).SpawnInstance_
oNewObject.Drive = “Disabled”
oNewObject.DriveLabel = “Disabled”
oNewObject.Size = “Disabled”
oNewObject.BitLocker_Version = “Disabled”
oNewObject.Conversion_Status = “Disabled”
oNewObject.Percentage_Encrypted = “Disabled”
oNewObject.Encryption_Method = “Disabled”
oNewObject.Protection_Status = “Disabled”
oNewObject.Lock_Status = “Disabled”
oNewObject.Identification_Field = “Disabled”
oNewObject.Key_Protectors = “Disabled”
oNewObject.Bitlocker_Status = “Disabled”
oNewObject.ScriptLastRun = Now
oNewObject.Put_
Exit DO
Else
if ucase(left(line,6)) = “VOLUME” then
if drive “” then
targetmif.writeline(” End Group”)
end if
i = i + 1
drive = mid(line,8,2)
drivename = mid(line,12,len(line)-12)
line = “”
strObjects(i,0) = drive
strObjects(i,1) = drivename
strObjects(i,11) = Now
if drive = “C:” Then
Bitlocker_Status = “Enabled”
strObjects(i,12) = “Enabled”
Else
strObjects(i,12) = “Disabled”
end if
end if
End if
if drive “” and trim(line) “” then
parts = split(line,”:”)
Select Case replace(trim(parts(0)),” “,”_”)
Case “Size”
strobjects(i,2) = trim(parts(1))
Case “BitLocker_Version”
strobjects(i,3) = trim(parts(1))
Case “Conversion_Status”
strobjects(i,4) = trim(parts(1))
Case “Percentage_Encrypted”
strObjects(i,5) = trim(parts(1))
Case “Encryption_Method”
strObjects(i,6) = trim(parts(1))
Case “Protection_Status”
strObjects(i,7) = trim(parts(1))
Case “Lock_Status”
strObjects(i,8) = trim(parts(1))
Case “Identification_Field”
strObjects(i,9) = trim(parts(1))
Case “Key_Protectors”
If len(line) = 26 then
line = oExec.StdOut.Readline()
j=1
Do While trim(line) “”
If j=1 then
strObjects(i,10) = trim(line)
j=j+1
Else
strObjects(i,10) = trim(line) + “, ” + strObjects(i,10)
end if
line = oExec.StdOut.Readline()
loop
else
strObjects(i,10) = trim(parts(1))
end if
end select
end if
loop
If Noenable “True” Then
‘——————
‘Create the WMI Namespace
‘——————
Set oLocation = CreateObject(“WbemScripting.SWbemLocator”)
‘—Remove classes
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
Set oServices = oLocation.ConnectServer(, “root\cimv2\SMS”)
set oNewObject = oServices.Get(“SCCM_BitLocker”)
oNewObject.Delete_
‘—Create data class structure
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
Set oDataObject = oServices.Get
oDataObject.Path_.Class = “SCCM_BitLocker”
oDataObject.Properties_.add “Drive”, wbemCimtypeString
oDataObject.Properties_.add “DriveLabel”, wbemCimtypeString
oDataObject.Properties_.add “Size”, wbemCimtypeString
oDataObject.Properties_.add “BitLocker_Version”, wbemCimtypeString
oDataObject.Properties_.add “Conversion_Status”, wbemCimtypeString
oDataObject.Properties_.add “Percentage_Encrypted”, wbemCimtypeString
oDataObject.Properties_.add “Encryption_Method”, wbemCimtypeString
oDataObject.Properties_.add “Protection_Status”, wbemCimtypeString
oDataObject.Properties_.add “Lock_Status”, wbemCimtypeString
oDataObject.Properties_.add “Identification_Field”, wbemCimtypeString
oDataObject.Properties_.add “Bitlocker_Status”, wbemCimtypeString
oDataObject.Properties_.add “Key_Protectors”, wbemCimtypeString
oDataObject.Properties_.add “ScriptLastRun”, wbemCimtypeString
oDataObject.Properties_(“Drive”).Qualifiers_.add “key”, True
oDataObject.Put_
‘——————————
‘Add Instances to data class
Set oServices = oLocation.ConnectServer(, “root\cimv2″)
For j=1 To i
Set oNewObject = oServices.Get(“SCCM_BitLocker”).SpawnInstance_
oNewObject.Drive = strObjects(j,0)
oNewObject.DriveLabel = strObjects(j,1)
oNewObject.Size = strObjects(j,2)
oNewObject.BitLocker_Version = strObjects(j,3)
oNewObject.Conversion_Status = strObjects(j,4)
oNewObject.Percentage_Encrypted = strObjects(j,5)
oNewObject.Encryption_Method = strObjects(j,6)
oNewObject.Protection_Status = strObjects(j,7)
oNewObject.Lock_Status = strObjects(j,8)
oNewObject.Identification_Field = strObjects(j,9)
oNewObject.Key_Protectors = strObjects(j,10)
oNewObject.Bitlocker_Status = strObjects(j,12)
oNewObject.ScriptLastRun = strObjects(j,11)
oNewObject.Put_
‘Uncomment the following lines to for troubleshooting interactively
‘WScript.Echo strObjects(j,0) & “, ” &_
‘ strObjects(j,1) & “, ” &_
‘ strObjects(j,2) & “, ” &_
‘ strObjects(j,3) & “, ” &_
‘ strObjects(j,4) & “, ” &_
‘ strObjects(j,5) & “, ” &_
‘ strObjects(j,6) & “, ” &_
‘ strObjects(j,7) & “, ” &_
‘ strObjects(j,8) & “, ” &_
‘ strObjects(j,9) & “, ” &_
‘ strObjects(j,10) & “, ” &_
‘ strObjects(j,11) & “, ” &_
‘ strObjects(j,12)
Next
Else
End If
The script below will use the microsoft security namespace to talk to the BIOS through the TPM management provider in windows and give you TPM info for the pc. You can even enable TPM with the proper commands in the MicrosoftTpm class.
Set WshShell = CreateObject(“Wscript.Shell”)
‘—- this error resume stops issues with the class not existing and erroring script
on error resume next
dim strComputer , objWMIService, colItems
dim strObjects(8)
‘—- set WMI path
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\CIMV2\Security\MicrosoftTpm”)
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TPM”,,48)
For each objitem in colItems
strObjects(0) = objitem.IsActivated_InitialValue
strObjects(1) = objitem.IsEnabled_InitialValue
strObjects(2) = objitem.IsOwned_InitialValue
strObjects(3) = objitem.ManufacturerId
strObjects(4) = objitem.ManufacturerVersion
strObjects(5) = objitem.ManufacturerVersionInfo
strObjects(6) =objitem.PhysicalPresenceVersionInfo
strObjects(7) = objitem.SpecVersion
WScript.Echo “TPM enabled in BIOS”
‘Uncomment the following lines to for troubleshooting interactively
WScript.Echo strObjects(0) & “, ” &_
strObjects(1) & “, ” &_
strObjects(2) & “, ” &_
strObjects(3) & “, ” &_
strObjects(4) & “, ” &_
strObjects(5) & “, ” &_
strObjects(6) & “, ” &_
strObjects(7)
Next
IF (strObjects(1) = “”) Then
WScript.Echo “TPM disabled in BIOS”
End if
if drive “” then
if drive “” and trim(line) “” then
Do While trim(line) “”
are not equals before “”