SCCM 2007 - Configuration - Collection and Reporting on Laptops - Part 5
This article is a follow-up to the articles I posted on June 18, July 11, and July 12, 2011.
Collecting and Reporting on Laptops - Part 1
Collecting and Reporting on Laptops - Part 2
Collecting and Reporting on Laptops - Part 3
Collecting and Reporting on Laptops - Part 4
Just a really short note on a particular gotcha I've encountered while applying BitLocker to Windows 7 machines.
On occasion, when applying BitLocker to a machine, it will not report its status and shows up in the non-reporting section of my reports. I have found that a non-reporting machine is either not encrypted (and never has been encrypted) or has an issue as described below. You can perform the commands following locally or remotely (I use Psexec located here: http://technet.microsoft.com/en-us/sysinternals/bb896649) and run a command prompt on the remote machine.
To get the BitLocker status on the machines, type the following:
manage-bde -status
On a machine which has not been encrypted, you will receive the following message:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
ERROR: There are no disk volumes that can be protected with BitLocker Drive Encryption.
On a machine which has been encrypted but is affected by the issue I'm describing here, you will receive the following message:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
ERROR: An error occurred (code 0x8004100e):
Invalid namespace
Generally, an invalid namespace indicates that whatever namespace you are trying to query does not exist within the WMI. What I have found, although I do not know why at this time, is that for some reason, during the encryption process, the necessary namespace is never created. (I need to research this when I have some free time.) I've validated this by browsing the WMI with two encrypted machines; one with the error and one acting normally.
By compiling the following MOF file on the affected machine, you can resolve this issue.
Navigate to the following directory:
C:\Windows\System32\wbem\
and issue the following command:
mofcomp.exe win32_encryptablevolume.mof
After the file sucessfully compiles you will receive the following message:
Microsoft (R) MOF Compiler Version 6.1.7600.16385
Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
Parsing MOF file: win32_encryptablevolume.mof
MOF file has been successfully parsed
Storing data in the repository...
Done!
If you perform another status check, you will receive the following message: (message contents depend upon how you are encrypting the drives as well, but you will get the picture)
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Default]
[OS Volume]
Size: 232.59 GB
BitLocker Version: Windows 7
Conversion Status: Fully Encrypted
Percentage Encrypted: 100%
Encryption Method: AES 128 with Diffuser
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors:
TPM
Numerical Password
Perform a hardware inventory on the now "fixed" machine and after the data flows up, it will fall off your non-reporting report and become "compliant".
I hope this can help some people.
Cheers!