BitLocker Status and Key Audit
Purpose
This solution provides a comprehensive approach to auditing BitLocker encryption status and recovery keys across Windows devices using ConnectWise RMM. Instead of using monitors, it utilizes a daily scheduled task to collect and report BitLocker encryption details, ensuring centralized visibility of encryption status and recovery keys for all protected drives.
Associated Content
Custom Fields
| Name | Example | Type | Level | Required | Purpose |
|---|---|---|---|---|---|
| Enable BitLocker Status Audit | Windows Workstation and Server | Dropdown | COMPANY | Yes | Select OS to enable BitLocker status auditing. |
| Disable BitLocker Status Audit (Site) | Flag | SITE | No | Prevents BitLocker status auditing at specific sites. | |
| Disable BitLocker Status Audit (Endpoint) | Flag | ENDPOINT | No | Prevents BitLocker status auditing on specific endpoints. | |
| BitLocker Status and Key | Text Box | ENDPOINT | Yes | Stores BitLocker encryption details and recovery keys. |
Groups
| Name | Purpose |
|---|---|
| BitLocker Status Audit Enabled | Dynamic group targeting devices where BitLocker status auditing is enabled. |
| BitLocker Disabled | Group of machines where BitLocker is not enabled. |
| BitLocker Suspended | Group of machines where BitLocker protection is suspended. |
| BitLocker Enabled | Group of machines where BitLocker protection is enabled. |
Task
| Name | Purpose |
|---|---|
| BitLocker Status and Recovery Key Audit | PowerShell script that collects BitLocker encryption details and recovery keys. |
Implementation
Step 1: Create the Required Custom Fields
Create all the custom fields listed above under SETTINGS → Custom Fields in CW RMM. See individual documentation pages for configuration details.
- Enable BitLocker Status Audit
- Disable BitLocker Status Audit (Site)
- Disable BitLocker Status Audit (Endpoint)
- BitLocker Status and Key
Step 2: Create the Dynamic Groups
Create the groups listed above under ENDPOINTS → Groups as dynamic groups:
Step 3: Create the Audit Task
Create the audit script task BitLocker Status and Recovery Key Audit under AUTOMATION → Tasks. Set up the script as detailed in the referenced documentation.
Step 4: Schedule the Audit Task
Schedule the BitLocker Status and Recovery Key Audit task to run daily against the BitLocker Status Audit Enabled group.
FAQ
Q: What happens if a device is excluded at the site or endpoint level?
A: Devices or sites flagged for exclusion will not be included in the BitLocker status audit. However, the BitLocker Status and Recovery Key Audit task can be executed manually.
Q: How often does the solution audit BitLocker status?
A: The task is scheduled to run daily, but this can be adjusted in the scheduled task configuration based on your organizational needs.
Q: Can I trigger the audit manually?
A: Yes, the BitLocker Status and Recovery Key Audit task can be run on demand independent of the schedule.
Q: What information is collected by the audit?
A: The script collects drive letters, key protector types, protection status, encryption percentage, and recovery passwords (when available).
Q: What OSes are supported for auditing?
A: Supported OS selection is controlled by the Enable BitLocker Status Audit custom field (Windows Workstation, Windows Server, Both, or Disabled).
Q: Is the BitLocker Drive Encryption feature required?
A: Yes, the BitLocker Drive Encryption feature must be enabled on servers for the audit to work properly. Auditing will not work without enabling this feature on Windows servers.
Q: How are the results formatted and stored?
A: Results are formatted as a structured string and stored in the endpoint-level "BitLocker Status and Key" custom field, following this format: | DriveLetter: KeyProtectorTypes; ProtectionStatus; EncryptionPercentage; RecoveryPassword |