Menu
CCMEXEC.COM – Enterprise Mobility
  • General
  • Configuration Manager
  • Windows 10
  • Windows 11
  • Intune
  • GitHub
  • About
CCMEXEC.COM – Enterprise Mobility

Bitlocker Compliance using SCCM including Hardware encryption check

Posted on November 7, 2018 by Jörgen Nilsson

A quick post on how to check Bitlocker compliance where all computers with “Hardware” encryption is used will also be marked as non compliant which can be useful after the recent security advisory for SSD’s with Hardware encryption:
https://redmondmag.com/articles/2018/11/06/microsoft-ssd-security-advisory.aspx?fbclid=IwAR21wX_6S32eyqdRXDeoNqdjb6DZw8UPNXT_d2FQ8pdH52Jop9lvx7g6Tko  

And the Security advisory from Microsoft on the topic.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028

This started with a discussion with Mattias Borg,@MattiasBorg82 – http://Sec-labs.com and input from Robert Israelsson and the rest in System center user group Sweden – SCUG.SE awesome!

But only checking for Hardware encryption would not be any fun so we check that Encryption is enabled as well, so all machines without Bitlocker enabled will also be flagged as “Non-compliant” which is great as they also need attention. So we get double benefit of the compliance check. If you would want to check for just “Hardware” encryption the values that are returned by Powershell is:

None
Aes128Diffuser
Aes256Diffuser
Aes128
Aes256
Hardware
XtsAes128
XtsAes256
Unknown

You can also remove any encryption-methods that you shouldn’t be using from the list below so they are marked as non-compliant as well.

The PowerShell script:

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }


switch ($BitlockerVolume.encryptionmethod) {
Aes128 { $true }
Aes256 { $true }
Aes128Diffuser { $true }
Aes256Diffuser { $true }
XtsAes128 { $true }
XtsAes256 { $true }
Default { $false }
}

We put that in a Configuration Item with the settings type “Script” and Data Type “Boolean” as shown below.

With the following Compliance rule:

If we only want to catch all drives with Hardware encryption the Powershell script can be edited to only check for that. (haven’t tested it, I don’t have disk with HW encryption.)

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Hardware { $false }
Default { $True }
}

The .Cab file with the basline and CI can be downloaded from Github https://github.com/SweJorgen/SCCM-Configuration-Items
I hope this is useful

6 thoughts on “Bitlocker Compliance using SCCM including Hardware encryption check”

  1. Jose Espitia says:
    November 7, 2018 at 7:13 pm

    I wish I would have seen this earlier. I wrote a script earlier this morning to find any computers that had Hardware Encryption.
    You can find it on my post below:
    https://www.joseespitia.com/2018/11/07/sccm-script-to-identify-systems-vulnerable-to-adv180028/

    Reply
  2. Nicholas says:
    November 8, 2018 at 11:24 am

    Running SCCM 1806, imported the cab file and deployed to a test machine, but compliance rule comes back as an error.
    If l run the powershell script manually, l get the following error, Invalid Character Line 1 Char 1

    Reply
  3. Nick says:
    November 8, 2018 at 2:06 pm

    Nice! I took a slightly different approach, but using the same methodology, but I don’t think we have any hardware encryption machines in our environment either.

    I used:

    Get-WmiObject -namespace “Root\cimv2\security\MicrosoftVolumeEncryption” -ClassName “Win32_Encryptablevolume” -filter “DriveLetter = ‘C:'” | Select-Object -ExpandProperty EncryptionMethod

    This returns an integer and I used a compliance rule to check that it’s not equal to 5. If it isn’t – it was compliant, and if not, it was non-compliant.

    Doing some research, it seems a lot of things need to be true for hardware encryption to occur on its own.

    Reply
  4. DL says:
    November 8, 2018 at 10:30 pm

    When I run you script locally the result comes back as True (as it should). But in SCCM my compliance state shows up as Error. What am I doing wrong here?

    Reply
  5. Vegard says:
    January 14, 2019 at 2:31 pm

    I also have 2 additional rules
    machines where BitLocker is suspended
    machines that checks for tpm problems using Get-TPM

    Reply
    1. Jörgen Nilsson says:
      January 18, 2019 at 4:03 pm

      Hi,
      That sounds like a good solution!
      Regards,
      Jörgen

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Recent Posts

  • Windows 365 Link – a week and some
  • Prevent software installations disguised as drivers
  • Tip when troubleshooting unexpected reboots during Autopilot – event ID 2800
  • New settings in Intune Security Baseline Windows 11 24H2 -2504
  • Managing extensions in Visual Studio Code
©2025 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT