Not that long ago we noticed that not all Windows 7 laptops were encrypted with Bitlocker due a script faillure. Of course this should be corrected as soon as possible. Since Bitlocker is being enabled through a Task Sequence within SCCM 2007 and not through a group policy we needed a list of laptops that were not encrypted. This way we could create a collection and run Bitlocker on this collection.

First of all we needed to create a list of the laptops involded. Unfortunatly Active Directory couldn’t give us the information we needed although the Bitlocker security key is saved in an attribute within Active Directory. Somehow the information given us by Active Directory didn’t compute with the reallity. Sometimes Active Directory showed us laptops that were not encrypted but when we checked them physcally they were encrypted. That gave us the idea that we should look for another solution because we didn’t had a lot of time to troubleshoot this problem. So Why not check the Bitlocker status through SCCM 2007? Since SCCM already does an inventory this should be done easily.
Enviroment description:

– Windows 2008 R2 SP1
– Window 7 SP1
– SCCM 2007 R2
– RES Workspacemanager 2010
– App-V 4.6


Collect the information we need by adjusting the “SMS_DEF.MOF” and “CONFIGURATION.MOF” files. These files are found in “%SCCMinstallpath%inboxesclifiles.srchinv”

First of all we need to copy and backup up the original sms_def.mof and configuration.mof files. After that we added the following code to the end of the sms_def.mof file.

At last we added the following code to the end of the Configuration.mof file.

We also added some specific registry keys to the inventory, I used an application I found on from Mark Cochrane.

Download link:

Underneath an example screenshot of what it does. You can easily select the registry key(s) you want to add to the SCCM inventory and copy paste them into the sms_def.mof and configuration.mof files.

{rsmediagallery tags=”regtomof”}

We used the following queries to create the collections for the laptops.

Bitlocker Off:

Bitlocker On:

This way we could monitor which laptops still needed to be encrypted and which were encrypted. Machines still running the encryption process are displayed in the Bitlocker off collection.

Some tips:

  • backup your original “SMS_DEF.mof” and “CONFIGURATION.mof” files
  • check the integrity of your mof files before bringing them in production. You can use the command: “mofcomp.exe -check yourmofname.mof”