sccm.haas.se
30Aug/132

Bitlocker Status Report

With Windows 7, creating a report in SCCM for all your computers is really simple. First you need to expand your sms_def.mof file to gather the Bitlocker status data that is stored in WMI on your clients.

Insert this at the bottom of
%Program Files%\Microsoft Configuration Manager\inboxes\clifiles.src\hinv\sms_def.mof 

[ SMS_Report (TRUE),

 SMS_Group_Name ("BitLocker Volume Encryption"),
 SMS_Class_ID ("MICROSOFT|BITLOCKER_VOLUME_ENC|1.0"),
 SMS_Namespace (FALSE),
 Namespace ("\\\\\\\\localhost\\\\root\\\\cimv2\\\\security\\\\MicrosoftVolumeEncryption") ]
class Win32_EncryptableVolume : SMS_Class_Template
{
 [SMS_Report (TRUE), key ] string DeviceID;
 [SMS_Report (TRUE) ] string DriveLetter;
 [SMS_Report (FALSE) ] string PersistentVolumeID;
 [SMS_Report (TRUE) ] uint32 ProtectionStatus;
};
[ SMS_Report (TRUE),
 SMS_Group_Name ("Trusted Platform Module"),
 SMS_Class_ID ("MICROSOFT|TRUSTED_PLATFORM_MODULE|1.0"),
 SMS_Namespace (FALSE),
 Namespace ("\\\\\\\\localhost\\\\root\\\\cimv2\\\\security\\\\MicrosoftTPM") ]
class Win32_TPM : SMS_Class_Template
{
 [SMS_Report (TRUE) ] boolean IsActivated_InitialValue;
 [SMS_Report (TRUE) ] boolean IsEnabled_InitialValue;
 [SMS_Report (TRUE) ] boolean IsOwned_InitialValue;
 [SMS_Report (FALSE), key] uint32 ManufacturerId;
 [SMS_Report (TRUE) ] string ManufacturerVersion;
 [SMS_Report (FALSE) ] string ManufacturerVersionInfo;
 [SMS_Report (FALSE) ] string PhysicalPresenceVersionInfo;
 [SMS_Report (TRUE) ] string SpecVersion;
};

Thanks to Panu Saukko for that information.

When your client run Hardware Inventory they will put the information from WMI into the ConfigMgr database. All you need to do is to create a report that gathers the data from it. It just so happens, I have one right here! Create a new report from ConfigMgr and put this into the SQL statement.

SELECT     
  v_R_System.Name0,'Chassis'=CASE 
 WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 in ('3','4','6','7','15') THEN 'Desktop'
 WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 in ('8','9','10','21') THEN 'Laptop'
 END

, v_GS_BITLOCKER_VOLUME_ENC.DriveLetter0, v_GS_BITLOCKER_VOLUME_ENC.ProtectionStatus0 AS 'Protection Status', 
                      v_GS_BITLOCKER_VOLUME_ENC.TimeStamp AS 'Inventoried', v_GS_TRUSTED_PLATFORM_MODULE.IsEnabled_InitialValue0 AS 'TPM Enabled', 
                      v_GS_TRUSTED_PLATFORM_MODULE.IsActivated_InitialValue0 AS 'TPM Activated', v_GS_TRUSTED_PLATFORM_MODULE.ManufacturerVersion0 AS 'TPM Manuf. Version', 
                      v_GS_TRUSTED_PLATFORM_MODULE.SpecVersion0 AS 'TPM Version',v_R_System.managedBy0 AS 'Managed By'
FROM         v_R_System INNER JOIN
                      v_GS_BITLOCKER_VOLUME_ENC ON v_R_System.ResourceID = v_GS_BITLOCKER_VOLUME_ENC.ResourceID INNER JOIN
                      v_GS_TRUSTED_PLATFORM_MODULE ON v_GS_BITLOCKER_VOLUME_ENC.ResourceID = v_GS_TRUSTED_PLATFORM_MODULE.ResourceID
                      INNER JOIN v_GS_SYSTEM_ENCLOSURE on v_R_System.ResourceID =  v_GS_SYSTEM_ENCLOSURE.ResourceID

This will give you a report that looks like this (click to zoom).

Bitlocker Report

So, in other words, you don’t need to run scripts on your clients to inventory Bitlocker information for Windows7. All you need is to expand SMS_Def.mof and create a report.