Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Windows 11
  • Intune
  • GitHub
  • About
CCMEXEC.COM – Enterprise Mobility

Use DCM to monitor that all laptops are encrypted using Bitlocker

Posted on March 17, 2010March 16, 2010 by Jörgen Nilsson

When creating a baseline for your environment Desired Configuration Management in Configuration Manager can be used to monitor that all laptops operating system drive is encrypted using DCM. This could be useful to verify that an administrator somewhere haven’t removed bitlocker or to make sure that the deployment strategi for bitlocker is working correctly.

  • Create a new Configuration Item General or Operating System is up to you, under Desired Configuration in the SCCM console.
  • On the Settings tab select New
  • Name it Bitlocker Status
  • Namespace:  Root\CIMV2\Security\MicrosoftVolumeEncryption
  • Class:  Win32_EncryptableVolume
  • Property:  DriveLetter
Bitlocker Settings screen
Bitlocker Settings screen

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • On the validation screen
  • Operator:  Equals
  • Value:  C:
  • Severity:  Error

Bitlocker_CI2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • On the Status screen change the severity to Error

Bitlocker_CI3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Completed!

No create a DCM Baseline containing the Bitlocker Configuration Item and assign it to a collection containing you Windows 7 and Windows Vista computers.

8 thoughts on “Use DCM to monitor that all laptops are encrypted using Bitlocker”

  1. Brett says:
    February 8, 2011 at 9:28 pm

    First off. Love your blog.

    Second, we are currently testing this in a development environment and any computer with two partitions on the primary drive (excluding the system reserved partition) show noncompliance. When I run the client side evaluation report, it shows that drive letter D: is noncompliant even though the query should only be checking C: (which is encrypted).

    Anyone have any suggestions on how to modify this so that it ONLY checks C:?

    Reply
  2. Aidan Keogh says:
    February 28, 2011 at 5:46 pm

    I see the same thing do you know if the d drive is encrypt does it still fail?

    Reply
  3. Jörgen Nilsson says:
    February 28, 2011 at 10:01 pm

    I will do some testing as soon as I get my hands on a computer I can do some tests with.
    Sorry for the late reply, it seems like you are on to something.
    /Jörgen

    Reply
  4. Aidan Keogh says:
    March 21, 2011 at 10:50 am

    Any one get an answer to this?

    Reply
  5. Kim Ford says:
    June 6, 2011 at 5:32 pm

    Hi Jörgen,

    When I create a DCM configuration item, I’m faced with a screen that says, “Specify the objects that you want for this configuration item…” When I click New, I can choose Assembly, File/Folder, or Registry key. None of these have a spot to put Namespace, Class, or Property. Am I missing something?

    Thanks,

    Kim

    Reply
  6. Sebastian says:
    July 7, 2011 at 8:29 am

    We had the same problem as Aidan. When the Computer has more then one crypted C: drive (e. g. additional D: Volume or E: as a crypted USB stick) the Check Returns an Error.

    In this case just add a “WQL query WHERE clause” in your Configuration Item that says DriveLetter=’C:’

    It’s tested and works perfectly in our environment.

    Reply
  7. Jörgen Nilsson says:
    July 7, 2011 at 8:33 am

    Exellent feedback Sebastian, I will update the post with the information.
    /Jörgen

    Reply
  8. DutchGuy says:
    November 30, 2012 at 2:01 pm

    I tried the above post but found out that it’s not working as expected.

    We want to implement a base line for bitlocker compliance on drive C: only (so we don’t care whether other removable drives are encrypted or not), so I’m testing on property ProtectionStatus and validate it to value 1 (integer) in the validation tab.
    added Driveletter= “C:” as a WQL query WHERE clause to narrow it down to C: only

    (“C:” in double quotes, no in single quotes as posted earlier, as this led to the error:
    DiscoveryProvider:Discovery Function query(‘select ProtectionStatus from Win32_EncryptableVolume where DriveLetter=?C:?’,’Root\CIMV2\Security\MicrosoftVolumeEncryption’): An exception of type ‘System.Management.ManagementException’ occurred during execution: Invalid query )

    In the discovery log I now see

    DiscoveryProvider:Discovery Function query(‘select ProtectionStatus from Win32_EncryptableVolume where Driveletter=”C:”‘,’Root\CIMV2\Security\MicrosoftVolumeEncryption’): Object count final: 1.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Recent Posts

  • New settings in Intune Security Baseline Windows 11 24H2 -2504
  • Managing extensions in Visual Studio Code
  • Reinstall a required Win32app using remediation on demand
  • Administrator protection in Windows 11 – First look
  • Remediation on demand script – ResetWindowsUpdate
©2025 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT