Bitlocker Compliance using SCCM including Hardware encryption check

A quick post on how to check Bitlocker compliance where all computers with “Hardware” encryption is used will also be marked as non compliant which can be useful after the recent security advisory for SSD’s with Hardware encryption:  

And the Security advisory from Microsoft on the topic.

This started with a discussion with Mattias Borg,@MattiasBorg82 – and input from Robert Israelsson and the rest in System center user group Sweden – SCUG.SE awesome!

But only checking for Hardware encryption would not be any fun so we check that Encryption is enabled as well, so all machines without Bitlocker enabled will also be flagged as “Non-compliant” which is great as they also need attention. So we get double benefit of the compliance check. If you would want to check for just “Hardware” encryption the values that are returned by Powershell is:


You can also remove any encryption-methods that you shouldn’t be using from the list below so they are marked as non-compliant as well.

The PowerShell script:

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Aes128 { $true }
Aes256 { $true }
Aes128Diffuser { $true }
Aes256Diffuser { $true }
XtsAes128 { $true }
XtsAes256 { $true }
Default { $false }

We put that in a Configuration Item with the settings type “Script” and Data Type “Boolean” as shown below.

With the following Compliance rule:

If we only want to catch all drives with Hardware encryption the Powershell script can be edited to only check for that. (haven’t tested it, I don’t have disk with HW encryption.)

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Hardware { $false }
Default { $True }

The .Cab file with the basline and CI can be downloaded from Github
I hope this is useful


Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.