Configmgr Bitlocker Complance history

Todd Miller 41 Reputation points
2020-12-11T01:56:00.08+00:00

If we move to Configmgr for monitoring bitlocker clients and store their keys, how is this affected by Configmgr's aged inventory cleanup?

When a client is pruned out of Configmgr because it has not checked in for 180 days, what happens to the historical Bitlocker compliance information - and more importantly to the stored recovery key?

For instance... someone has a device that has been encrypted with bitlocker, and it reports its status to Configmgr and is compliant, and then the computer is stuffed in a drawer for a year. After 6 months, it ages out of the SCCM site after a period of inactivity and is removed from the DB though maintenance tasks. Everyone slowly forgets about the device. Later, during routine compliance checks, we ask the user to verify they still have that laptop assigned to them. The user goes to the drawer where he stuffed it a year ago and... Uh Oh... not there. Someone must have stolen the laptop... That device is reported lost and now people want proof that that device was encrypted when it was last seen. But SCCM has cleaned up that computer out of the DB because of aged inventory maintenance.

Is there any historical compliance data that is kept outside of the regular SCCM data for Bitlocker in particular or do I need to use something custom to ship the data out of SCCM for prosperity? What about the recovery keys? I have not looked at how Configmgr works - but MBAM would keep recovery keys forever. I suppose Configmgr will also keep the recovery keys even when the computer resource is removed from Configmgr?

It is up to me to somehow store the compliance data prior to the computer getting pruned? It would be cool if a table could be kept with a summary of information about every computer as it ages out of the SCCM database... like a single row of data. I don't want to keep installed software lists or a list of the services or other ephemeral data... but having a few things like sort of like the CombinedDeviceResources view + the bitlocker compliance data - and it is kept FOREVER for posterity sake. Is there anything like that?

What do you do/use to hold basic info about inactive computers for posterity?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,907 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Garth Jones 2,076 Reputation points
    2020-12-11T11:59:17.217+00:00

1 additional answer

Sort by: Most helpful
  1. XinGuo-MSFT 17,931 Reputation points
    2020-12-11T09:29:57.677+00:00

    Hi,

    If I understand correctly, we could try to maintain a custom table containing all the data by SQL statements. Then migrate the current data to this table periodically.

    Database table – dbo.RecoveryAndHardwareCore_Keys

    47285-img-5e8531dbaef76.png

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.