CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

When creating a baseline for your environment Desired Configuration Management in Configuration Manager can be used to monitor that all laptops operating system drive is encrypted using DCM. This could be useful to verify that an administrator somewhere haven’t removed bitlocker or to make sure that the deployment strategi for bitlocker is working correctly.

  • Create a new Configuration Item General or Operating System is up to you, under Desired Configuration in the SCCM console.
  • On the Settings tab select New
  • Name it Bitlocker Status
  • Namespace:  Root\CIMV2\Security\MicrosoftVolumeEncryption
  • Class:  Win32_EncryptableVolume
  • Property:  DriveLetter
Bitlocker Settings screen

Bitlocker Settings screen

















  • On the validation screen
  • Operator:  Equals
  • Value:  C:
  • Severity:  Error
















  • On the Status screen change the severity to Error


















No create a DCM Baseline containing the Bitlocker Configuration Item and assign it to a collection containing you Windows 7 and Windows Vista computers.

When using for instance a Install Software Updates step in a task sequence for instance if you use a Task sequence to first uninstall Office 2003 and then install Office 2007 then you want to install the latest patches during this task Sequence to make sure all security updates are installed.

If the Install Software Updates task needs to reboot the computer the default values for reboot delay and reboot message will be used. As this is no restart computer task the following Task Sequence Variable needs to be defined in the Task Sequence to be able to control the message displayed and the timeout which will be used:

SMSTSRebootTimeout, timeout used for controlling for how long the message should appear for the user
SMSTSRebootMessage, message to be desplayed to the user 

Task Sequence Editor example

Task Sequence Editor example


















When using a mandatory OSD advertisement to install a Operating system it is a great benefit to remove the computer from the Collection to where the OS deployment is advertised. The OSD task sequence advertisement can then be set to always rerun and all problems related to reinstalling an existing computer is solved.

This can be achieved by using a status filter rule together with a VBscript which removes the computer from the collection once the Task Sequence completes successfully.

I have updated the script to search for active computer records in SCCM using the name and then removing the computer from the collection using the ResourceID instead of using the name for matching. I have seen at customers that some third party applications created direct memberships with a different naming convention than the SCCM Admin Console does, this updated script will solve this problem.

Update 2
The script have been updated with the possibility to enter more than one collection to remove the computer from, it can also write an event to the event-log on the SCCM server with the name of the computer and the collection/collections it will be removed from.
I have removed the script code from this blog and made it available as a file instead, to avoid problems when cut/pasting the text.

You can download it here:

Download the script and save it as “remove.vbs”  edit the following line with the collection/collections you want the computer removed from

sCollectionIDs = “00100053:0010004A:00100069″

when that is done, complete the steps below to configure the status filter rule.


Configuring the status filter rule:

  1. Under site settings create a new status filter rule
  2. Configure it to use the following settings:

Component : Task Sequence Manager
Message Id: 11171

Run a Program: cscript.exe e:\sccmtools\remove.vbs %msgsys

Status1 status filter rule 2