When creating a baseline for your environment Desired Configuration Management in Configuration Manager can be used to monitor that all laptops operating system drive is encrypted using DCM. This could be useful to verify that an administrator somewhere haven’t removed bitlocker or to make sure that the deployment strategi for bitlocker is working correctly.
- Create a new Configuration Item General or Operating System is up to you, under Desired Configuration in the SCCM console.
- On the Settings tab select New
- Name it Bitlocker Status
- Namespace: Root\CIMV2\Security\MicrosoftVolumeEncryption
- Class: Win32_EncryptableVolume
- Property: DriveLetter
- On the validation screen
- Operator: Equals
- Value: C:
- Severity: Error
- On the Status screen change the severity to Error
Completed!
No create a DCM Baseline containing the Bitlocker Configuration Item and assign it to a collection containing you Windows 7 and Windows Vista computers.
First off. Love your blog.
Second, we are currently testing this in a development environment and any computer with two partitions on the primary drive (excluding the system reserved partition) show noncompliance. When I run the client side evaluation report, it shows that drive letter D: is noncompliant even though the query should only be checking C: (which is encrypted).
Anyone have any suggestions on how to modify this so that it ONLY checks C:?
I see the same thing do you know if the d drive is encrypt does it still fail?
I will do some testing as soon as I get my hands on a computer I can do some tests with.
Sorry for the late reply, it seems like you are on to something.
/Jörgen
Any one get an answer to this?
Hi Jörgen,
When I create a DCM configuration item, I’m faced with a screen that says, “Specify the objects that you want for this configuration item…” When I click New, I can choose Assembly, File/Folder, or Registry key. None of these have a spot to put Namespace, Class, or Property. Am I missing something?
Thanks,
Kim
We had the same problem as Aidan. When the Computer has more then one crypted C: drive (e. g. additional D: Volume or E: as a crypted USB stick) the Check Returns an Error.
In this case just add a “WQL query WHERE clause” in your Configuration Item that says DriveLetter=’C:’
It’s tested and works perfectly in our environment.
Exellent feedback Sebastian, I will update the post with the information.
/Jörgen
I tried the above post but found out that it’s not working as expected.
We want to implement a base line for bitlocker compliance on drive C: only (so we don’t care whether other removable drives are encrypted or not), so I’m testing on property ProtectionStatus and validate it to value 1 (integer) in the validation tab.
added Driveletter= “C:” as a WQL query WHERE clause to narrow it down to C: only
(“C:” in double quotes, no in single quotes as posted earlier, as this led to the error:
DiscoveryProvider:Discovery Function query(‘select ProtectionStatus from Win32_EncryptableVolume where DriveLetter=?C:?’,’Root\CIMV2\Security\MicrosoftVolumeEncryption’): An exception of type ‘System.Management.ManagementException’ occurred during execution: Invalid query )
In the discovery log I now see
DiscoveryProvider:Discovery Function query(‘select ProtectionStatus from Win32_EncryptableVolume where Driveletter=”C:”‘,’Root\CIMV2\Security\MicrosoftVolumeEncryption’): Object count final: 1.