Monday, April 10, 2017

SCCM Compliance Item Bitlocker Status

We recently implemented Health Attestation in SCCM 1610. That took care of reporting requirements for our Windows 10 clients. However, in order to completely eliminate MBAM from our environment we still needed to report on legacy clients. So, how to create a compliance item that queries for Bitlocker status;

**Side note: Some troubleshooting done for the Windows 10 portion of with Health Attestation.
https://social.technet.microsoft.com/Forums/en-US/359c1cb5-5bb0-42a2-9151-0e0b3d769bcd/missing-health-attestation-data-in-sccm?forum=ConfigMgrCompliance


The script;

  1. Verify that bitlocker is enabled (=1) and encryption cipher method is 256 (=4) 
  2. Return Compliant or Non-Compliant
#############################

$BitlockerStatus = Get-WmiObject -Namespace “root\CIMV2\Security\MicrosoftVolumeEncryption” -Class Win32_EncryptableVolume -ErrorAction Stop| ?{$_.DriveLetter -eq "C:"} | select EncryptionMethod,ProtectionStatus
 
  #Status (0 = disabled, 1 = enabled)
  #Method {0 = none, 1 = 128diffuser, 2 = 256 diffuser, 3 = 128(default), 4 = 256(desired)}
 
  #Verify that Bitlocker is enabled and AES 256 is used
  if($BitlockerStatus.ProtectionStatus -eq 1 -and $BitlockerStatus.EncryptionMethod -eq 4)
  {write-host "Compliant"}
  else
  {write-host "Non-Compliant"}
#############################

The compliance item;




 View the deployment status under monitoring


Viewing the individual client report