Contact Us Get Free Products
Search icon Contact Us Get Free Products
SCCM/MECM

Monitor Bitlocker Status using SCCM Bitlocker Report

Benoit LecoursJanuary 14 20193 Min Read

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 8 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intune deployments.

Benoit Lecours

President
Table of Content
SCD Collaborators

If you’ve been using BitLocker in your organization, you probably receive some requests from your security department to monitor the Bitlocker status of a device if it gets stolen. One of them is a free SCCM Bitlocker Report and a free Power BI Dashboard that we’ve done just for you but there’s a couple of ways to achieve this.

#1 – MBAM

The first and recommended one would be to use Microsoft BitLocker Administration and Monitoring (MBAM). However, this tool is not free, you need to have Microsoft Desktop Optimization Pack (MDOP). Microsoft has also announced that the actual MBAM 2.5 version is getting deprecated soon (Extended support on July 2019). So we’ll skip this one for now.

#2 – Configuration baseline

The second solution would be to use a configuration baseline in SCCM to monitor BitLocker and report the configuration baseline status using a report. This is a good solution but you’ll need to create a baseline based on a script and deploy it to all your computers. If you’re not familiar with the configuration baseline and want a quicker, simpler solution, keep reading.

#3 – SCCM Bitlocker Report

Another solution would be to use a built-in SCCM Bitlocker report… but there’s none in the console. The good news is that we’ve created one for you and giving it for free just because we think you’re awesome!

There are 2 small things to do before you can use the free report. You need to enable Bitlocker inventory classes in your Hardware inventory. If your inventory is already configured for Bitlocker, jump to the download section.

#4 – SCCM Power BI Dashboard

If you’re using Power BI in your organization, we’ve also created a free Bitlocker Compliance Dashboard that you can use.

As for the SSRS report, you need to enable Bitlocker inventory classes in your Hardware inventory. If your inventory is already configured for Bitlocker, jump to the download section.

HOW TO ENABLE Bitlocker INVENTORY for SCCM Bitlocker Report

Select the Client Settings that apply to your bitlocker collection. In our example, we’ll use the Default Client Setting but we recommend that you use a custom one.

  • Open the SCCM Console
  • Go to Administration / Client Settings
  • Right-Click your Default Client Setting, select Properties
SCCM Office 365 inventory report
  • Click on Hardware Inventory
  • Click on Set Classes
Sccm Bitlocker report
  • Ensure that Bitlocker (Win32_EncryptableVolume) is enabled
Sccm Bitlocker report

  • Ensure that both TPM (Win32_Tpm) and TPM Status (SMS_TPM) classes are also enabled
Sccm Bitlocker report
  • Close the Hardware inventory class window by clicking ok.

Bitlocker Inventory Verification

Now that our classes are enabled, trigger a Machine Policy Retrieval & Evaluation Cycle (to have the latest Client Settings) followed by an Hardware inventory Cycle on a computer that has Bitlocker enabled. Once the inventory is completed, check the inventory using Resource Explorer :

  • In the SCCM Console
  • Right-Click your device, select Start / Resource Explorer
  • Confirm that you have Bitlocker listed
Sccm Bitlocker report

Free SCCM Bitlocker Reports

Now that you’ve confirmed that the inventory is working, the last thing you need to do is monitoring using reporting.

SSRS

You can download this free report by visiting our product page. The Asset – Bitlocker Status report is free to download.

SCD Collaborators
Comments (36)

Jeff Huffman

04.15.2019 AT 11:58 AM
Love the SCCM bundle and Bitlocker reports. It has help with audit documentation. Could I get the Bitlocker report customized to report by collection group? What would charge be for the customization?
Hide replies 0

Tony

01.31.2019 AT 03:46 PM
Great report, thank you. I see duplicate computers in report, any idea why?
Hide replies 0

Jason

01.24.2019 AT 06:42 PM
Thanks for the report. My "Total Devices" is only a small fraction of my actual total devices. Does it only show devices with the BitLocker inventory class enabled? Also, do you know why some devices are listed twice (exact duplicates)?
Hide replies 3

Lauren Layton

05.24.2019 AT 12:48 PM
I am having the same issue. Has anyone figured out why? Is it only pulling information on those systems that are BitLocker capable?
Hide replies 0

Danny

03.15.2019 AT 10:31 AM
Same issue for me, count is about half of all systems and a few duplicates as well.
Hide replies 0

steve

01.31.2019 AT 03:33 PM
I'm having the same issue. I have around 8000 clients but this report is only showing around 3500.
Hide replies 0

Anthony Reyna

01.24.2019 AT 01:07 PM
I don't see the TPM Status (SMS_TPM) in my HW inventory list, was this something you added manually or do newer versions of SCCM has this class in there? I am on SCCM 1610.
Hide replies 0

Mike

01.17.2019 AT 10:29 PM
Hello Guys! Beautiful report!! One very helpful addition would be a filter by collection if possible. Would you be able to guide me on setting that up? Thank you for your consideration! Mike
Hide replies 0

Simon

01.16.2019 AT 09:40 AM
Thanks a lot, very useful! By the way, your "SCD Purchase Receipt"-Email got quarantined by O365 (EOP); Quarantine Reason: Spam
Hide replies 0

sathish

01.16.2019 AT 02:13 AM
Hi Stian, thanks for your input. Hi Benoit, Yes that's what I expected to see if HDD is encrypted with AES_128_WITH_DIFFUSER, AES_256_WITH_DIFFUSER and other formats..Please let me know if this is possible to get this added into this report.
Hide replies 0

sathish

01.14.2019 AT 05:53 PM
Thank you for your post, can we also get the encryption method listed?
Hide replies 1

Benoit Lecours

01.15.2019 AT 08:00 AM
Hi Sathish, Can you give more details? I'm not sure this information is gathered by SCCM.
Hide replies 1

Stian M. Olsen

01.15.2019 AT 10:37 AM
You can see the encryption method in WMI: (Get-CimInstance -Namespace "root\cimv2\Security\MicrosoftVolumeEncryption" -ClassName Win32_EncryptableVolume -Filter "DriveLetter = 'C:'").EncryptionMethod If you can switch these integers to a more readable string, then I guess you'll be good to go. https://docs.microsoft.com/en-us/windows/desktop/secprov/getencryptionmethod-win32-encryptablevolume
Hide replies 0
Related posts
Benoit LecoursApril 24 202411 Min Read
Step-by-Step SCCM 2403 Upgrade Guide

Microsoft has released the first SCCM version for 2024 as the release cadence is now reduced to 2...

SCCM/MECM
Benoit LecoursApril 23 20244 Min Read
In-place OS upgrade for SCCM site server

Some releases of SCCM versions require that you upgrade your site server Operating System to...

SCCM/MECM
Marc-Andre ChartrandApril 18 20244 Min Read
SCCM Office 365 dashboard Unmanaged clients

If you’ve always been managing your Office 365 (Now Microsoft 365 Apps) clients with SCCM,...

Office 365 SCCM/MECM
Request a Quote

Please fill out the form, and one of our representatives will contact you in Less Than 24 Hours. We are open from Monday to Friday.

Consulting Services

Subscription

PatchMyPC

Reports and Guides

I'm interested in working with you

Consulting services and time banks are used for generic requests. All others are fixed-price plans.

Never share sensitive information (credit card numbers, social security numbers, passwords) through this form.
Request Sent

Thank you for your request. You will receive an email with more details. Take note that we normally work from Monday to Friday. We will get in touch with you as soon as possible.

Comment Sent

Thank for your reply!

Error

Something went wrong!