HOWTO: Bitlocker Status Reporting in SCCM 2007
Posted by dvanderuit in Configuration Manager, System Center, Windows 7, tags: BitlockerI recently had to come up with a solution that will enable administrators to build reports for client’s bitlocker status. To do so i found a few articles on the web that pointed me in the right direction, however i didn’t found a complete howto for it so that’s a good reason for me to post a complete one.
To enable bitlocker status reporting in a centralised management environment with SCCM you need to follow some steps because bitlocker is not integrated that far (yet??) in the Windows OS. First, let’s first take a look at the status information that bitlocker provides:
- Volume name, example: C: [OSDisk]
- Disk size, example: 148,75 GB
- BitLocker Version, example: Windows 7
- Conversion Status, example: Fully Encrypted
- Percentage Encrypted, example: 100%
- Encryption Method, example: AES 128 with Diffuser
- Protection Status, example: Protection On
- Lock Status, example: Unlocked
- Identification Field, example: None
- Key Protectors (Note: multivalue), example: TPM, Numerical Password
You can check the above on clients using the commandline tool manage-bde.exe -status on Windows 7 clients. For Vista clients use cscript manage-bde.wsf -status.
Step 1. Modify and deploy SMS_DEF.MOF
We want bitlocker status information to be inventoried to SCCM. A proper way of doing that would be to add the bitlocker class to the SMS_DEF.MOF file on the management point (found in %SCCMinstallpath%\inboxes\clifiles.src\hinv). Make a copy of this file and edit with your favorite app. Add the following lines at the end of the file:
#pragma deleteclass(“SCCM_BitLocker”,NOFAIL)
[edit] Make sure to replace any fancy double quotes with normal quotes after copying because otherwise compiling or parsing will fail. Or download this file: bitlocker_mof.
You should check the file for errors with mofcomp.exe -check SMS_DEF.MOF. To enable the MOF file on a single client run the following command on the client mofcomp -class:forceupdate %pathtofile%\SMS_DEF.MOF. Copy the edited file back to enable it on your ConfigMgr site.
Step 2. Install Bitlocker
Create and link a GPO to apply on the bitlocker clients that contain the following settings (or similair based on your own requirements):
| Machine | Administrative Templates | System | Trusted Platform Module Services | |
| Turn on TPM backup to Active Directory Domain Services | Enabled |
| Machine | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating Sytem Drives | |
| Choose how BitLocker-protected operating system drives can be recovered | Enabled |
| Allow data recovery agent | Disabled |
| Configure user storage of BitLocker recovery information: | Require 48-digit recovery passwordAllow 256-bit recovery key |
| Omit recovery options from the BitLocker setup wizard | Enabled |
| Save BitLocker recovery information to AD DS for operating system drives | Enabled |
| Configure storage of BitLocker recovery information to AD DS: | Store recovery passwords and key packages |
| Do not enable BitLocker until recovery information is stored to AD DS for operating system drives | Disabled |
Enter the BIOS on your client or use tools like the Dell client configuration utility to turn on TPM, clear the TPM and activate it. After doing this enable bitlocker encryption on the machine. You can use any method to achive this.
Step 3. Add Bitlocker status to WMI & run hw inventory
Although there are multiple ways of manipulating bitlocker through WMI you still need a script to read, update and store bitlocker status information in the WMI repository (see http://msdn.microsoft.com/en-us/library/aa376409.aspx). This is because Managed Object Format (MOF) files are not installed as part of the Windows SDK and therefore the included classes are not added to the WMI repository automatically by Windows itself.
[update: A handy colleague wrote a powershell version of the script for adding the bitlocker status into WMI with some nice enhancements. All credits go to Daniel Last.]
The scripts (use only one):
- VBS version: UpdateBitlockerStatus.vbs
- Powershell verion: Bitlocker_Status.ps1 Bitlocker_Status_v1.1.ps1 [update]
Run the script and after that initiate a hardware inventory on the client. Note that the powershell version of the script already triggers a hardware inventory. Additionally, the powershell script need to be run with the powershell execution policy to be set to RemoteSigned. Do this using the following cmdlet: Set-ExecutionPolicy RemoteSigned
[edit] You could trigger the inventory in the vbscript by adding this line: WshShell.Run “WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule “&Chr(34) & “{00000000-0000-0000-0000-000000000001}” & Chr(34) & ” /NOINTERACTIVE”,,true
After a while you will find 2 new tables and 1 new view in the SCCM site database:
Step 4. Create the Report
I created a report in SCCM with the following query:
SELECT v_R_System.Name0 AS Computername, v_GS_SCCM_BitLocker0.Bitlocker_Status0 AS [Bitlocker Status],
v_GS_SCCM_BitLocker0.BitLocker_Version0 AS [Bitlocker Versie], v_GS_SCCM_BitLocker0.Conversion_Status0 AS [Converstion Status],
v_GS_SCCM_BitLocker0.Drive0 AS Drive, v_GS_SCCM_BitLocker0.DriveLabel0 AS DriveLabel, v_GS_SCCM_BitLocker0.Encryption_Method0 AS [Encryption Method],
v_GS_SCCM_BitLocker0.Identification_Field0 AS [Identification Field], v_GS_SCCM_BitLocker0.Key_Protectors0 AS [Key Protectors],
v_GS_SCCM_BitLocker0.Percentage_Encrypted0 AS [Percentage Encrypted], v_GS_SCCM_BitLocker0.Protection_Status0 AS [Protection Status],
v_GS_SCCM_BitLocker0.ScriptLastRun0 AS [Script Last Run]
FROM v_GS_SCCM_BitLocker0 INNER JOIN
v_R_System ON v_GS_SCCM_BitLocker0.ResourceID = v_R_System.ResourceID
And there it is, the Bitlocker report (note: old screenshot based another query but more or less similar):
Tested on SCCM R2 with a Windows 7 Enterprise bitlocker client.
Feel free to comment on this post.
Regards,
Douwe van de Ruit
Entries (RSS)
Hello
I tested your Howto for Bitlocker. But I got an error on the Step.1 If I compile the mof file I got a syntax error:
“(5840): error SYNTAX 0X80044013: Invalid namespace path syntax”. On the MP server I get a unknown error in the dataldr.log.
Do you have a idea what I could do to solve this problem?
thx
Thorsten
Does it compile without the error if you remove the bitlocker section? I double checked in my testlab:
MOF file has been successfully parsedYou probably need to add quotes somewhere. Check all lines that start with
#pragma namespaceRegarding the mofcompile not working, in looking at the mof snippet, the web site formated those double-quotes into the fancy quote symbols, not the text ” symbols. After you copy/paste, just replace the fancy double-quotes with normal “
[...] to confirm settings were applied as expected based on his GPO settings: http://www.buit.org/2010/08/18/howto-bitlocker-status-reporting-in-sccm-2007/ Published Monday, March 01, 2010 1:40 PM by skissinger Filed under: SMS2003, SMS_DEF.MOF, [...]
If you copy/pasted from this page, then it’s using the word quotes. Delete them in notepad and just retype them and it should compile correctly.
oops sorry for the repost of sherry’s info, had this site cached in my browser for awhile- been meaning to get around to doing this!
At any rate, one question, once you initate the hardware inventory action on the client, I don’t see the new WMI info in the HardwareInventory.log on the client going through. I do see stored in WMI now though just fine.
So no new table/views are created.
oops sorry for the repost of sherry\’s info, had this site cached in my browser for awhile- been meaning to get around to doing this!
At any rate, one question, once you initate the hardware inventory action on the client, I don\’t see the new WMI info in the HardwareInventory.log on the client going through. I do see stored in WMI now though just fine.
So no new table/views are created.
MOF was edited, and quotes were edited as suggested.
I’ve put the script in a GPO – Startup Script and have added hardware inventory in script using
WshShell.Run “WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule “&Chr(34) & “{00000000-0000-0000-0000-000000000001}” & Chr(34) & ” /NOINTERACTIVE”,,true
Running the script WITHOUT “On Error resume next”, results in following error:
Microsoft VBScript runtime error (24, 4) : Object required: ‘targetmif’
FYI if a language pack is “fully” applied, this fails somewhat. Since the script is looking for English string values and doesn’t see English returned, SCCM will report values of NULL.
Sherry – I’m not sure I’m reading this right, but it looks like the information being put in WMI is static. If you want to update the information, you have to rerun the script? Is there any way to make the WMI information dynamically update with the info so we don’t have to rerun the script in order to get current information in the hardware inventory?
I’ve added a better script that’s written in powershell. It has some extra functionalities and triggers a hw inventory at the end.
The powershell script is really great! Thank you !
I am getting the following error running the powershell script. Not sure what I’m doing wrong.
The term ‘.\Bitlocker_Status.ps1′ is not recognized as the name of a cmdlet, fu
nction, script file, or operable program. Check the spelling of the name, or if
a path was included, verify that the path is correct and try again.
At line:1 char:23
+ .\Bitlocker_Status.ps1 <<<<
+ CategoryInfo : ObjectNotFound: (.\Bitlocker_Status.ps1:String)
[], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Hi
Nice post for bitlocker status report. One question: In step 3 you say “After a while you will find 2 new tables and 1 new view in the SCCM site database”. I cannot see any new tables or view. How long do I have to wait and what triggers the creation of the new tables and view?
This worked perfect, thanks!
Is there any way I can get the hostname instead of the Resource ID in one of the columns?
Thanks,
Jim
Actually, I think I’ve got it. I added the following to your sms_def.mof edit:
[SMS_Report (TRUE)] string PhysicalHostName;
Thanks,
Jim
@ jimbo, i’ve added a nice query for the report.
I found a mismatch between the PS script and the MOF
MOF looks for item: ScriptLastRan
PS script logs item:ScriptLastRun
changing either one of those fixed the problem for me.
1. Found the powershell script doesn’t have the “[SMS_Report (TRUE)] string Automatic_Unlock;” as stated in the sms_def.mof file.
2. The VB script has several areas with “ScriptLastRan” instead of “ScriptLastRun”.
3. Trying to get the Report to run and not having success. Seems it’s looking for something else since when I compare the columns to the report and they don’t match.
I removed the following lines in MS SQL Query and I was able to run the query, but the query doesn’t work in ConfigMgr.
v_GS_SCCM_BitLocker0.Bitlocker_Status0 AS [Bitlocker Status],
v_GS_SCCM_BitLocker0.DriveLabel0 AS DriveLabel,
Not getting two and new tables in SCCM site database. Have double checked all stages no errors.
Any pointers?
Make sure your WMI class SCCM_BitLocker has the property “ScriptLastRan” that corresponds with the entry insms_def.mof ( “ScriptLastRUn”)
So replace ran with run or vice versa
The sms_def file on server has [SMS_Report (TRUE)] string ScriptLastRun;
No errors on running mofcomp.exe -check SMS_DEF.MOF on sccm server
I have a couple of PC with bitlocker enabled. On one rang the powershell script which has $newWMIObject.Properties.add(“ScriptLastRun”, “”). get a nice prompt prompt with all details which are correct. then check the server for new tables and still none have come up.
I’m guessing I misundertand the steps or can’t see the obvious as have tried several times now.
Thanks for your help.
Hi, I created a package and program to run the UpdateBitlockerStatus.vbs but it seems to only create the class but not the instance. The vbscript runs fine when manually triggered off the box. I’m targeting only Win7 64bit machines so I’m wondering if that is because the SCCM client agent is 32bit and hence runs in a WOW…? Any insight would be appreciated!
Thanks!
I think am just having some problems with subscribing to RSS feed here.
I’m not getting any new tables created and I am getting an error in the InventoryAgent.log when it processes the BitLocker section. I’ve pasted it below in case it is of assistance. This is a 64-bit Windows 7 Enterprise machine.
I guess it didn’t like something in the log. Trying again taking out the brackets.
![LOG[Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, Automatic_Unlock, BitLocker_Version, Conversion_Status, Drive, DriveLabel, Encryption_Method, Identification_Field, Key_Protectors, Lock_Status, Percentage_Encrypted, Protection_Status, ScriptLastRun, Size FROM SCCM_BitLocker; Timeout = 600 secs.]LOG]! time=”15:03:52.969+000″ date=”02-02-2011″ component=”InventoryAgent” context=”" type=”1″ thread=”5928″ file=”collectiontask.cpp:347″
![LOG[Unknown error encountered processing an instance of class SCCM_BitLocker: 80041017]LOG]! time=”15:03:52.969+000″ date=”02-02-2011″ component=”InventoryAgent” context=”" type=”2″ thread=”5928″ file=”collectiontask.cpp:578″
me too buddy
For step 3, do you run the script on each client, or just once on the SCCM server?
For those getting the above error in InventoryAgent.log (ie, on the client, unknown error processing class SCCM_BitLocker) – if you’re using the VB script, replace all entries of ‘ScriptLastRan’ with ‘ScriptLastRun’ – the MOF expects ‘ScriptLastRun’
The powershell script doesn’t need the edit, just the VB script.
For those getting the above error in InventoryAgent.log (ie, on the client, unknown error processing class SCCM_BitLocker) – if you\’re using the VB script, replace all entries of \’ScriptLastRan\’ with \’ScriptLastRun\’ – the MOF expects \’ScriptLastRun\’
The powershell script doesn\’t need the edit, just the VB script.
For those getting the above error in InventoryAgent.log (ie, on the client, unknown error processing class SCCM_BitLocker) – if you\\\’re using the VB script, replace all entries of \\\’ScriptLastRan\\\’ with \\\’ScriptLastRun\\\’ – the MOF expects \\\’ScriptLastRun\\\’
The powershell script doesn\\\’t need the edit, just the VB script.
Another note – the VB script doesn’t handle multiple key protection methods, ie:
Key Protectors:
Numerical Password
TPM And PIN
As the script can’t parse the output properly. Powershell script handles fine though.
Anyone ever figure out why the new database tables are not being created? I have followed the steps several times and they are still not there. I’m getting the same error as EC above when forcing a hardware incentory on my test client.
i am having the same problem as EC above the powershell script runs fine but i do not get the database updates. anybody have a clue on this?
Is there a way to manually create the SQL views and tables?
If bitlocker is not enabled on target machine and if we execute the above script will it create any tables or views
NUuaC4 http://gdjI3b7VaWpU1m0dGpvjRrcu9Fk.com
just curious to see if anyone managed to resolve the issues with the tables not being created? I’ve also use WMI explorer and although SCCM_Bitlocker Class is present, none of the properties have values.
Hi!
I’m having the same issue as many here have mentioned. Using the PowerShell script, I can see that the SCCM_BitLocker WMI class is created (using PowerShell WMI Browser), but even though the script reports all the values after being executed, it does not populate the ConfigMgr SQL database.
If I look at the CCM logs on the client, in InventoryAgent.log, I see the following entry after a Hardware Inventory Cycle has been run:
“Unknown error encountered processing an instance of class SCCM_BitLocker: 80041017″
Any ideas? =)
Make sure to mofcomp the sms_def.mof to check for errors. The powershell script needs te be run on the client every now and then to update the selfmade (static) WMI class SCCM_Bitlocker.
My database tables were not being created. I made the MOF changes and was using the PowerShell script on the laptops. When I examined InventoryAgent.log there was errors for the SCCM_BitLocker class. It turns out that the MOF file includes this line “[SMS_Report (TRUE)] string Automatic_Unlock;” BUT the PowerShell script does NOT populate this property. I removed this line from SMS_DEF.MOF and everything started working.
My database tables were not being created. I made the MOF changes and was using the PowerShell script on the laptops. When I examined InventoryAgent.log there was errors for the SCCM_BitLocker class. It turns out that the MOF file includes this line \
Hello,
Does this report only show windows 7 computers with bitlocker enabled or does it show both? enabled and not enabled?
Thanks
The reporting works for both vista and w7 (enterprise and ultimate) computers, enabled as well as not enabled.
As for the scripts, try debugging with the use of echoing variables to find the error. The scrips are written for Windows 7 32 bit operating system and have not been tested on 64 bit. However with little changes you can make it work on 64 bit as well.
regards,
Douwe van de Ruit
in our environment by 80 percent while maintaining the high availability our retail staff, researchers and management team need
[...] HOWTO: Bitlocker Status Reporting in SCCM 2007 [...]
You can follow any responses to this entry through
Where do you come from? nude kid latinas 187
What sort of music do you listen to? preteen naturist
pfiobp
We used to work together