If you’ve been using BitLocker in your organization, you probably receive some requests from your security department to monitor the Bitlocker status of a device if it gets stolen. One of them is a free SCCM Bitlocker Report and a free Power BI Dashboard that we’ve done just for you but there’s a couple of ways to achieve this.

#1 – MBAM
The first and recommended one would be to use Microsoft BitLocker Administration and Monitoring (MBAM). However, this tool is not free, you need to have Microsoft Desktop Optimization Pack (MDOP). Microsoft has also announced that the actual MBAM 2.5 version is getting deprecated soon (Extended support on July 2019). So we’ll skip this one for now.
#2 – Configuration baseline
The second solution would be to use a configuration baseline in SCCM to monitor BitLocker and report the configuration baseline status using a report. This is a good solution but you’ll need to create a baseline based on a script and deploy it to all your computers. If you’re not familiar with the configuration baseline and want a quicker,
#3 – SCCM Bitlocker Report
Another solution would be to use a built-in SCCM Bitlocker report… but there’s none in the console. The good news is that we’ve created one for you and giving it for free just because we think you’re awesome!

There are 2 small
#4 – SCCM Power BI Dashboard
If you’re using Power BI in your organization, we’ve also created a free Bitlocker Compliance Dashboard that you can use.
As for the SSRS report, you need to enable Bitlocker inventory classes in your Hardware inventory. If your inventory is already configured for Bitlocker, jump to the download section.
HOW TO ENABLE Bitlocker INVENTORY for SCCM Bitlocker Report
Select the Client Settings that apply to your
- Open the SCCM Console
- Go to Administration / Client Settings
- Right-Click your Default Client Setting, select Properties

- Click on Hardware Inventory
- Click on Set Classes

- Ensure that Bitlocker (Win32_EncryptableVolume) is enabled

- Ensure that both TPM (Win32_Tpm) and TPM Status (SMS_TPM) classes are also enabled

- Close the Hardware inventory class window by clicking ok.
Bitlocker Inventory Verification
Now that our classes are enabled, trigger a Machine Policy Retrieval & Evaluation Cycle (to have the latest Client Settings) followed by
- In the SCCM Console
- Right-Click your device, select Start / Resource Explorer
- Confirm that you have Bitlocker listed

Free SCCM Bitlocker Reports
Now that you’ve confirmed that the inventory is working, the last thing you need to do is monitoring using reporting.
SSRS
- Download the RDL File from our product page | Asset – Bitlocker Status
- Upload the report to your Reporting Point and change the data source
- Run the report

You can download this free report by visiting our product page. The Asset – Bitlocker Status report is free to download.
Share this Post
35 Comments on “Monitor Bitlocker Status using SCCM Bitlocker Report”
Just had a question was does Enabled mean on the report
Hi,
i like the report very much. I just have the problem, that all of the bitlocker attributes are shown as unknown. Driveletter and a green dot for enabled are ok. I activated the hardware classes and i can see the bitlocker status in the ressource explorer. Can someone point me in the right direction where my problem is please.
Hi. I have a question. Thanks for the report btw. My green color and blue color on my pie chart are backwards:
green = not encrypted
blue = encrypted.
How can I make green to be compliant?
I did not change anything from the default report. Thank You
Hi,
Seeing error when clicking on a device that presents: the item ‘/archive/dashboard – device’ cannot be found
Not sure what that would be.
Thanks,
Dwight
Hello Dbrookland,
You must purchase the Dashboard – Device report to be able to make it work with Bitlocker Report.
Thanks
Hello, does this work for 1909? I have an older report from a year ago or so and my devices aren’t showing up as 1909. I see you mentioned there is an updated report. Does that support 1909 informatin?
Did anyone ever find where this report pulls from? I have 30,000 devices and it is pulling 1,000….
Also curious if anyone figured out how to query based off a collection because that would be super helpful!!!
Hi Chris,
the updated version is available for download to selection collection.
Try this SQL query to see how many rows you got.
select * from v_GS_ENCRYPTABLE_VOLUME
could be hardware inventory class missing.
thanks
Jonathan
Is it possible to include other drives in the report?
Encryption method is part of win32_BitLockerEncryptionDetails not under the standard win32_EncryptableVolume
It should be the class right after win32_EncryptableVolume not sure why it doesn’t show in the author’s screenshot
Great report has a lot info that I am looking for. I am just wondering where it is pulling from. I have a total of over 9000 computers in our organization and report is pulling only 6000.
excellent report and much appreciated for sharing. question…..im seeing some laptops with double entries; would we know why this is occurring? could not tell if this report is targeting all systems or a certain collection. is there a way to target just a specific collection? thanks!
got it fixed…..just needed to change the very first line….
SELECT DISTINCT SYS.ResourceID,SYS.Name0, SYS.AD_Site_Name0, USR.Full_User_Name0,
would still like to know how to target specific collections. thanks again.
The link to download is not working.
Can the report show if you have an active PIN? Can you support me to know how to add it to the report?
Is there any way to exclude windows 7 results?
I agree – great report and thank you! Would also like to see a filter to run the report against a particular collection if possible. I will be trying to see if there’s a way to add a serial number column as well for management.
Thank you again,
Cathy
Great Report, thank you.
I have some suggestions though. First of all, set the RepeatOnNewPage property for ‘Device Name’ to true.
Adding some filters for Manufacturer, Model and TPM states might improve the overall experience.
Love this report! One issue I am having is the version number of windows 10. It’s not reporting any version higher than 10.0.16299 even though we have many machines with 10.0.17134 that have bitlocker enabled. Any idea why?
I would also like to have this option added. I have tried to edit the report but I have no knowledge of SQL reports so it didn’t work. I am also having the same issue others have mentioned that the report only shows a small number of systems at the top of the report in comparison to what we have.
Hi!
Thanks for this useful report!
It can be even more useful if it can be modified to run against Computer Collection to get it’s status, not against PC name only or * expression. Any suggestions on how can this be implemented?
Thanks for a very useful report. Just want to share some information that helped me.
I was also experiencing duplicate entries when I ran the report. I tracked the issue down to being caused by the use of the v_GS_System_Enclosure view in the SQL syntax.
This view can contain multiple entries for the same asset. If the asset is a laptop sitting in a docking station, the SCCM agent will report back that the chassis type is both 9 and 12. The number 9 represents a laptop and 12 a docking station. Each chassis type gets its own entry in the system_enclosure view, hence when you use the ResourceID from this table, you now have multiple entries in the report for the same computer. So to fix it, I just removed the line “INNER JOIN v_GS_SYSTEM_ENCLOSURE SE ON EV.ResourceID = SE.ResourceID”, and instead of using the SE.ResourceID, I just reused the SYS.ResourceID.
I am no SCCM or SQL expert, but I don’t understand why you query the v_GS_SYSTEM_ENCLOSURE view? None of the information from this view is being used in the final report? Maybe I am missing something?
Love the SCCM bundle and Bitlocker reports. It has help with audit documentation.
Could I get the Bitlocker report customized to report by collection group? What would charge be for the customization?
Great report, thank you. I see duplicate computers in report, any idea why?
Thanks for the report. My “Total Devices” is only a small fraction of my actual total devices. Does it only show devices with the BitLocker inventory class enabled?
Also, do you know why some devices are listed twice (exact duplicates)?
I’m having the same issue. I have around 8000 clients but this report is only showing around 3500.
Same issue for me, count is about half of all systems and a few duplicates as well.
I am having the same issue. Has anyone figured out why? Is it only pulling information on those systems that are BitLocker capable?
I don’t see the TPM Status (SMS_TPM) in my HW inventory list, was this something you added manually or do newer versions of SCCM has this class in there? I am on SCCM 1610.
Hello Guys!
Beautiful report!! One very helpful addition would be a filter by collection if possible. Would you be able to guide me on setting that up?
Thank you for your consideration!
Mike
Thanks a lot, very useful!
By the way, your “SCD Purchase Receipt”-Email got quarantined by O365 (EOP); Quarantine Reason: Spam
Hi Stian, thanks for your input.
Hi Benoit, Yes that’s what I expected to see if HDD is encrypted with AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER and other formats..Please let me know if this is possible to get this added into this report.
Thank you for your post, can we also get the encryption method listed?
Hi Sathish,
Can you give more details? I’m not sure this information is gathered by SCCM.
You can see the encryption method in WMI:
(Get-CimInstance -Namespace “root\cimv2\Security\MicrosoftVolumeEncryption” -ClassName Win32_EncryptableVolume -Filter “DriveLetter = ‘C:'”).EncryptionMethod
If you can switch these integers to a more readable string, then I guess you’ll be good to go.
https://docs.microsoft.com/en-us/windows/desktop/secprov/getencryptionmethod-win32-encryptablevolume