Monitor Bitlocker Status using SCCM Bitlocker Report

Benoit LecoursSCCM10 Comments

If you’ve been using BitLocker in your organization, you probably receive some requests from your security department to monitor the status of a device if it gets stolen. There’s a couple of ways to achieve this.

Sccm Bitlocker report

#1 – MBAM

The first and recommended one would be to use Microsoft BitLocker Administration and Monitoring (MBAM). However, this tool is not free, you need to have Microsoft Desktop Optimization Pack (MDOP). Microsoft has also announced that the actual MBAM 2.5 version is getting deprecated soon (Extended support on July 2019). So we’ll skip this one for now.

#2 – Configuration baseline

The second solution would be to use a configuration baseline in SCCM to monitor BitLocker and report the configuration baseline status using a report. This is a good solution but you’ll need to create a baseline based on a script and deploy it to all your computers. If you’re not familiar with configuration baseline and want a quicker, simplier solution, keep reading.

#3 – SCCM Bitlocker Report

The last solution would be to use a built-in SCCM Bitlocker report… but there’s none. The good news is that we’ve created one for you and giving it for free just because we think you’re awesome!

There’s 2 small thing to do before you can use the free report. You need to enable Bitlocker inventory classes in your Hardware inventory. If your inventory is already configured for Bitlocker, jump to the download section.

HOW TO ENABLE Bitlocker INVENTORY

Select the Client Settings that apply to your bitlocker collection. In our example, we’ll use the Default Client Setting but we reccomend that you use a custom one.

  • Open the SCCM Console
  • Go to Administration / Client Settings
  • Right-Click your Default Client Setting, select Properties
SCCM Office 365 inventory report
  • Click on Hardware Inventory
  • Click on Set Classes
Sccm Bitlocker report
  • Ensure that Bitlocker (Win32_EncryptableVolume) is enable
Sccm Bitlocker report

  • Ensure that both TPM (Win32_Tpm) and TPM Status (SMS_TPM) classes are also enabled
Sccm Bitlocker report
  • Close the Hardware inventory class window by clicking ok.

Bitlocker Inventory Verification

Now that our classes are enabled, trigger a Machine Policy Retrieval & Evaluation Cycle (to have the latest Client Settings) followed by an Hardware inventory Cycle on a computer that has Bitlocker enabled. Once the inventory is completed, check the inventory using Resource Explorer :

  • In the SCCM Console
  • Right-Click your device, select Start / Resource Explorer
  • Confirm that you have Bitlocker listed
Sccm Bitlocker report

Free SCCM Bitlocker Report

Now that you’ve confirmed that the inventory is working, the last thing you need to do is :

Sccm Bitlocker report

You can download this free report by visiting our product page. The Asset – Bitlocker Status report is available in the Report / Asset Section.

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...

Share this Post

10 Comments on “Monitor Bitlocker Status using SCCM Bitlocker Report”

  1. Thanks for the report. My “Total Devices” is only a small fraction of my actual total devices. Does it only show devices with the BitLocker inventory class enabled?

    Also, do you know why some devices are listed twice (exact duplicates)?

    1. I’m having the same issue. I have around 8000 clients but this report is only showing around 3500.

  2. I don’t see the TPM Status (SMS_TPM) in my HW inventory list, was this something you added manually or do newer versions of SCCM has this class in there? I am on SCCM 1610.

  3. Hello Guys!

    Beautiful report!! One very helpful addition would be a filter by collection if possible. Would you be able to guide me on setting that up?

    Thank you for your consideration!
    Mike

  4. Thanks a lot, very useful!

    By the way, your “SCD Purchase Receipt”-Email got quarantined by O365 (EOP); Quarantine Reason: Spam

  5. Hi Stian, thanks for your input.

    Hi Benoit, Yes that’s what I expected to see if HDD is encrypted with AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER and other formats..Please let me know if this is possible to get this added into this report.

    1. Hi Sathish,
      Can you give more details? I’m not sure this information is gathered by SCCM.

Leave a Reply

Your email address will not be published. Required fields are marked *