Detect, Inventory and report about the encryption method used by Bitlocker thru ConfigMgr

6:54 pm in bitlocker, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr Dashboards, ConfigMgr SP2, Encryption, Inventory, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, SCCM Dashboards, sccm RTM, SCCM v.Next, sccm2007 by Kenny Buntinx [MVP]


Recently at a client, we needed to provide a report that was listing what Bitlocker Encryption strength method was used. That information had to be fed into the CMDB to make sure we had ‘256AES with Diffuser’ enabled.

Unfortunately, Configmgr 2012 does deliver out-of-the-box a way to determine what Bitlocker Encryption strength method, and that means the information is not in the registry or WMI.

Dependencies :

Well I tried to find an easy way , and the customer required a solution that was :

– Flexible and dynamic as they where constantly migrating from Mcafee Disk Encryption to Bitlocker and the CMDB had to be dynamically updated.

– Centrally managed code , meaning that if we needed to change anything to the code , it had to be intelligent enough to update it auto magically to all clients.

– Had to be reliable .

The solution :

– was to use a kind of detection powershell script for the Bitlocker Encryption strength using the standard powershell commandlet ‘Manage-bde’ .

– The script was to be used with a “compliance Item” and deployed thru a “Baseline” as one of my colleagues Henrik Hoe explains here : . By using a CI , you will meet the centrally managed code part , but also the automatically way of updating the detection logic to all clients.

Forget about the old package/program way and then a way to execute the script on regular basis ( That can all be done thru the Baseline deployment)

– The script will be executed and will write a registry value BitlockerEncryptionStrenght = “TheActualValue”  and the baseline will report complaint when it has the ‘256AES with Diffuser’ detected. When the machine is not bitlockered at all , we will write a value  BitlockerEncryptionStrenght = “None”

$ErrorActionPreference="silentlycontinue" $StrBEncryption = "" $objBEncryption = "" $objBEncryption=manage-bde.exe -status |Where-Object{$_ -like "*encryption method*"} $arrBEncryption=$objBEncryption.Split(":") $StrBEncryption=$arrBEncryption[1].Trim() If ($StrBEncryption.Contains("AES")) { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value $StrBEncryption -Property String -Force -ErrorAction SilentlyContinue | Out-Null if ($StrBEncryption -eq "AES 256 with Diffuser") { return 1 } } Else { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value "None" -Property String -Force -ErrorAction SilentlyContinue | Out-Null Return 0 }

– We will pick the value up later with a custom registry key hardware inventory extension and use that in our reporting later on. For more details on how to do it :

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP