BitLocker and TPM Audit

Description

This script performs a comprehensive audit of the machine's security posture regarding disk encryption and hardware security. It executes two main functions:

1. BitLocker Audit (Get-BitLockerDetail):

   • Prerequisite Check: Verifies the presence of the 'BitLocker' module and necessary OS features.
   • Data Collection: Scans all volumes using Get-BitLockerVolume. It handles complex configurations by flattening volumes with multiple key protectors into individual rows.
   • Formatting: Generates a stylized HTML table containing granular details such as Mount Point, Encryption Method, Protection Status, Key Protector IDs, Recovery Passwords, and timestamps.
   • Storage: Populates the cPVAL BitLocker Info custom field and sets the cPVAL BitLocker Enabled for System Drive flag if the OS drive is protected.

2. TPM Audit (Get-TPMDetail):

   • Prerequisite Check: Verifies the 'TrustedPlatformModule' module.
   • Data Collection: Retrieves hardware security details using Get-Tpm.
   • Formatting: Generates a stylized HTML table covering Manufacturer ID, AutoProvisioning status, Lockout counters, and TpmReady/Enabled states, including a 'DataCollectionTime' timestamp.
   • Storage: Populates the cPVAL TPM Info custom field.

Note:

• This is only compatible for Windows devices.
• The BitLocker Drive Encryption feature must be enabled on servers to perform auditing. This script will not work without enabling this feature.
• TPM audit will still be performed even if BitLocker audit fails.

Requirements

• PowerShell v5

Sample Run

Dependencies

• Custom Field: cPVAL BitLocker Enabled for System Drive
• Custom Field: cPVAL BitLocker Info
• Custom Field: cPVAL TPM Info
• Custom Field: cPVAL Audit Encryption Percentage
• Custom Field: cPVAL Audit Encryption Method
• Custom Field: cPVAl Audit Mount Point
• Custom Field: cPVAL Audit Lock Status
• Custom Field: cPVAL Audit Protection Status
• Custom Field: cPVAL Audit Volume Status
• Custom Field: cPVAL Audit TPM Activated
• Custom Field: cPVAL Audit TPM Enabled
• Custom Field: cPVAL Audit TPM Present
• Custom Field: cPVAL Audit TPM Ready
• Solution: BitLocker and TPM Audit

Custom Fields

Field Label	Scope	Type	Description
cPVAL BitLocker Info	Device	WYSIWYG (HTML Table)	Stores the HTML-formatted inventory of BitLocker volumes and protectors.
cPVAL BitLocker Enabled for System Drive	Device	Checkbox	Flag indicating if the Operating System drive is encrypted.
cPVAL TPM Info	Device	WYSIWYG (HTML Table)	Stores the HTML-formatted detailed status of the Trusted Platform Module (TPM).

Automation Setup/Import

Automation Configuration

Output

• Activity Logs
• Custom Fields
  • cPVAL BitLocker SysDrive Enabled
    
  • cPVAL BitLocker Info
    
  • cPVAL TPM Info
    

Changelog

2026-04-14

• Updated the solution to individually update the below custom field.

• As the script previously update the custom field in HTML format.

• We need to create group on which the HTML format data is not shows there.

• That is reason we have update the individual custom field.

  • cPVAL Audit Encryption Percentage
  • cPVAL Audit Encryption Method
  • cPVAl Audit Mount Point
  • cPVAL Audit Lock Status
  • cPVAL Audit Protection Status
  • cPVAL Audit Volume Status
  • cPVAL Audit TPM Activated
  • cPVAL Audit TPM Enabled
  • cPVAL Audit TPM Present
  • cPVAL Audit TPM Ready

2026-01-08

• Initial version of the document