Today i am going to share a Configuration Baseline to extend ConfigMgr Hardware inventory to report Bitlocker status as well as Hard Drive Media Type. This is extremely useful with the latest hardware encryption vulnerability being exploited in Bitlocker. See https://www.engadget.com/2018/11/06/microsofts-bitlocker-compromised-by-bad-ssd-encryption/ for additional details on this issue.
First we are going to download and import the Bitlocker Extended Inventory configuration baseline into your ConfigMgr Hierarchy.
- Open the ConfigMgr Console
- Navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines
- Click on Import Configuration Data in the ribbon
- Select Add and then browse to the “Bitlocker Extended Inventory.cab” file downloaded previously and select open.
- Click Yes on the publisher warning and Next twice to complete the import process.
- Deploy the Baseline to all workstations you want to extend inventory on.
Next we will Extend ConfigMgr Hardware Inventory to collect the newly added WMI Class.
- Open the ConfigMgr Console
- Navigate to \Administration\Overview\Client Settings and Select Properties on the “Default Client Settings“
- I typically advise against modifying the “Default Client Settings” but to add WMI classes directly via the gui vs with a mof you need to edit this one.
- Select Hardware Inventory from the Default Settings and then select “Set Classes…“
- Select “Add…” from the Hardware Inventory Classes screen.
- Click connect and then enter a computer name that has been extended via the previous baseline deployment and then click connect.
- Check the box next to BitlockerExtended and select OK twice.
The rest is up to you go save the world!
Here is some TSQL to get you going on creating your own SSRS Report or Dashboards to track.
BLE.ComputerName0 as [Computer Name],
BLE.DeviceID0 as [Device ID],
BLE.DriveLetter0 as [Drive Letter],
BLE.BusType0 as [Bus Type],
BLE.DiskType0 as [Disk Type],
BLE.DiskFirmwareVersion0 as [Disk Model],
BLE.SerialNumber0 as [Serial Number],
BLE.DiskFirmwareVersion0 [Firmware Version],
BLE.DiskSize0 as [Disk Size],
BLE.EncryptionMethod0 as [Encryption Method],
BLE.VolumeStatus0 as [Volume Status],
BLE.ProtectionStatus0 as [Protection Status],
BLE.KeyProtectors0 as [Key Protectors]
FROM v_GS_BITLOCKEREXTENDED BLE
The Data is being retrieved from the Get-PhysicalDisk cmdlet in PowerShell which is available in Windows 8 and newer operating systems so this baseline is limited to those platforms. More info can be reviewed on this cmdlet here: https://docs.microsoft.com/en-us/powershell/module/storage/get-physicaldisk?view=win10-ps
If you view Resource Explorer on one of your extended clients you’ll notice a new class “Bitlocker Extended“. This information can be used to review the Disk Model and Disk Type information to see if one of your disks is affected by the hardware exploit. Additionally the Encryption Method column will show if Hardware Encryption is being used or not.
All Possible Values for Encryption Method are listed here: https://docs.microsoft.com/en-us/windows/desktop/SecProv/getencryptionmethod-win32-encryptablevolume
The baseline is great to get the class created on clients and ensure all of your devices are compliant with having this extension but if you want to get regular updates on this data you’ll want to push the remediation script out independently as a standalone package or via the Run Scripts action. For extra credit you could also modify the Discovery script to trigger off of class existence as well as baseline last evaluation time -x days. Hope this helps someone and while the code appears to be reporting properly in my customers environment your mileage may very so please test as usual.