Request for Guidance on BitLocker Drive Status Full Inventory in Device Hardware - TPM

Copper Contributor

Hello Intune Community,

 

I'm currently managing a fleet of devices with BitLocker encryption, and I'd like to perform a full inventory of BitLocker drive status in the "Device Hardware" section of Intune, specifically focusing on the state of Trusted Platform Module (TPM) for each device.

 

While Intune provides some default information about BitLocker encryption status, it doesn't seem to offer a comprehensive inventory of TPM status and other BitLocker-related details.

Could you please guide me on how to collect detailed information on BitLocker encryption and TPM status for all devices in my organization using Intune or third-party tools if necessary? I'm particularly interested in:

 

  1. TPM version and status (Enabled/Disabled).
  2. BitLocker encryption status, including drive encryption and recovery key information.
  3. Any additional BitLocker-related details that can be collected.
 
 
 
1 Reply

Hi @Akhil5603,

Intune has a built in report for TPM or Encryption report (Device --> Monitor --> Encryption report) where you can see device name, OS, OS Version, TPM Version, Encryption readiness, Encryption status and user principal name.

LeonPavesic_0-1699278384458.png

 

To gather more detailed information, you can use a custom PowerShell script that should collect more information on TPM status and BitLocker encryption. (I haven´t tested it):

# Query TPM status
$tpmStatus = Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm
Write-Host "TPM Version: $($tpmStatus.SpecVersion)"
Write-Host "TPM Manufacturer ID: $($tpmStatus.ManufacturerID)"
Write-Host "TPM Manufacturer Version: $($tpmStatus.ManufacturerVersionInfo)"
Write-Host "TPM Enabled: $($tpmStatus.IsEnabled_InitialValue)"

# Query BitLocker status
$bitlockerStatus = Get-BitLockerVolume | Select-Object -Property DriveLetter, VolumeStatus, EncryptionPercentage
$recoveryInfo = Get-BitLockerRecoveryPassword
$recoveryKey = $recoveryInfo[0].RecoveryPassword
Write-Host "BitLocker Drive Status:"
$bitlockerStatus | Format-Table -AutoSize
Write-Host "BitLocker Recovery Key: $recoveryKey"

 

You can also try third-party solutions like ManageEngine Desktop Central or Symantec Endpoint Protection.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)