We recently had the need to gather the Bitlocker Status of the Windows machines in our environment.
By that time, the BitLocker Status - Custom Inventory document created by @Steve Gibbs (thank you!) didn't exist yet, so we went ahead and gave it a try but by adding a new WMI class to our Hardware Inventory Filter, and it worked nicely and with very little caveats (which are listed below under the Notes and Caveats).
The advantage of using the Hardware Inventory is it's automatically scanned on the machines (depending on your environment's configuration), vs the Custom Inventory which needs to be updated using an Operational Rule, which can be scheduled to run on a certain basis, but still, it would be an extra task added to the agent's workload and we try to avoid that as much as possible.
Here are the steps to add the WMI Class to your Hardware Inventory:
- Navigate into Global Settings / Inventory Filters / Hardware Inventory.
- Open the "Managed WMI Classes" Tab on the right, and press the "Create a new WMI class" button.
- Enter "root/cimv2/security/MicrosoftVolumeEncryption" under "WMI Namespace".
- Enter "Win32_EncryptableVolume" under "Windows WMI Class".
- Enter whatever you want as the "Display Name", we used "Bitlocker". This name will be used to group the attributes in the Hardware Inventory.
- Click OK.
- This is how it should look like after it's been added:
Navigate into Global Settings / Inventory Filters / Hardware Inventory / <Your Hardware Inventory Filter's Name> / WMI Filters.
- Press the "Add a new WMI class" button.
- Select the class' name you created on step 3 from the "Name" dropdown menu, "Bitlocker" in our case, select "Accept" under "Action", and click OK.
- Press the "Save the modifications in the XML file" button.
- All set!
The next step would be to re-assign the Hardware Inventory filter to all your Windows devices, which is done from your Hardware Inventory Filter's Assigned Objects node.
This is how it looks like once the Hardware Inventory is collecting the Bitlocker Status - you'll use the "ProtectionStatus" attribute to tell if the drive has been encrypted with Bitlocker or not (the description of each "ProtectionStatus" value is available in the following Microsoft document):
Notes and Caveats
- The Hardware Inventory filter must be up-to-date in the device to capture the Bitlocker status in the next Hardware Inventory scan, which is usually done on the device start-up (depending on your environment's configuration), or can also be launched through an Operational Rule.
- The WMI Class object will collect the status of all the drives in the system, not only the main OS drive, so be wary of this when creating queries/reports.
- Sometimes when machines go through Windows 10 Feature Updates, the ProtectionStatus will change from 1 to 0 after the first reboot. This is "normal", and it should return to 1 after a subsequent reboot.
Hope this helps someone!