BitLocker - Missing Key Protectors
This monitor set detects computers where BitLocker is enabled and the drive is fully encrypted but does not have any key protectors.
Documents discussing BitLocker drive encryption and configuration
View all tagsThis monitor set detects computers where BitLocker is enabled and the drive is fully encrypted but does not have any key protectors.
This document describes a script designed to add a recovery password to a BitLocker-enabled drive that lacks a key protector. The script disables the current BitLocker protection, initializes the TPM if necessary, and re-enables the protection with a Recovery Password protector. It is intended for execution as an Autofix script and not for manual use.
Audits BitLocker encryption status and TPM hardware details, populating detailed HTML reports into NinjaRMM custom fields.
This solution provides a comprehensive auditing framework for BitLocker encryption and Trusted Platform Module (TPM) security status on Windows endpoints within NinjaOne. It eliminates the need for manual checks by automatically collecting granular encryption data and hardware security details, formatting them into easy-to-read HTML reports stored directly in NinjaRMM Custom Fields.
This compound condition performs BitLocker and TPM audit once per day on Windows servers where auditing is enabled from cPVAL Enable BitLocker Audit custom field. If set to Disable, the audit will not be performed.
This compound condition performs BitLocker and TPM audit once per day on Windows workstations where auditing is enabled from cPVAL Enable BitLocker Audit custom field. If set to Disable, the audit will not be performed.
Group of machines where BitLocker is disabled.
Group of machines where BitLocker is enabled.
This document outlines the process to determine if the C: drive on an endpoint has BitLocker enabled. It includes information on accessing the data through BitLocker dataviews or the roles tab in ConnectWise Automate, along with the necessary detection string and settings.
Evaluates the BitLocker compliance status of an endpoint against policies defined in NinjaRMM Custom Fields.
Automates BitLocker initialization on Windows devices using NinjaOne custom fields, including encryption method selection, key protector configuration, and secure execution with logging.
This document provides a dataview containing records of computers where BitLocker initialization failed twice due to issues encountered by the Autofix script. It outlines the relevant dependencies and details about each computer, including client name, location, operating system, and the number of failed attempts.
The solution outlines the process of backing up BitLocker recovery keys to Active Directory or Azure Active Directory using CW RMM.
Group of machines where "BitLocker Key Backup" is enabled.
Group of machines where BitLocker Key Backup Failed.
This custom field display the most recent result after pushing the BitLocker recovery keys into AD/AzureAD.
Group of machines where BitLocker Key Backup Successful.
Group of machines where BitLocker Key was not found.
This script verifies whether the device is joined to a domain or Azure AD. For eligible devices, it attempts to back up BitLocker recovery keys to Azure AD or Local AD, depending on the join type. For each drive, it checks for RecoveryPassword protectors and tries to back up the key using the appropriate cmdlet. The output summarizes any failures, including drive letter, key substring, and platform. If all keys are backed up successfully, it reports success. If the device is not domain or Azure AD joined, or the BitLocker module is unavailable, it returns a relevant message. The output is formatted for saving into the CW RMM custom field "BitLocker Key Backup Status".
Stores BitLocker status and key information for all volumes on the device.
The solution outlines the process of auditing BitLocker encryption status and recovery keys using CW RMM with daily scheduled tasks.
This script collects BitLocker encryption details for each drive on the system using the Get-BitLockerVolume cmdlet. It summarizes the protection status, key protector types, encryption percentage, and recovery password (if available). The output is formatted as a single string suitable for saving into the Endpoint-Level custom field "BitLocker Status and Key".
Group of machines where the "BitLocker Status Audit" is enabled.
Group of machines where BitLocker is suspended.
Defines whether TPM initialization or reboot is allowed during BitLocker setup.
Displays the encryption method used for BitLocker protection on the selected volume.
Displays the BitLocker encryption percentage of the selected volume.
Displays the current lock status of the BitLocker-protected drive.
Shows the specific volume or drive for example, C:, D: that is protected by BitLocker.
Displays whether BitLocker protection is enabled on the device.
Displays whether the TPM (Trusted Platform Module) is activated on the device.
Displays whether the TPM (Trusted Platform Module) is enabled in the system firmware.
Displays whether a TPM (Trusted Platform Module) is present on the device.
Displays whether the TPM (Trusted Platform Module) is ready for use.
Displays whether the drive is fully encrypted or still in progress.
Displays the custom filed which shows the bitlocker and TPM audit details
Indicates whether BitLocker initialization needs to run on this device. Used for BitLocker initialization logic and compound conditions.
A boolean flag indicating if the Operating System drive is actively encrypted and protected by BitLocker. Useful for conditions and reporting compliance.
Stores an HTML inventory of BitLocker volumes, including mount points, algorithms, protection status, and key protector types. Populated automatically by the BitLocker automation script.
Select the operating system for which BitLocker auditing should be enabled. Use this setting to specify the OS where auditing policies will apply.
Choose the encryption algorithm BitLocker will apply to the selected volume. Use one of the supported options: Aes128, Aes256, XtsAes128, or XtsAes256.
Defines which BitLocker key protector method (TPM, PIN, Password, Recovery, or AD Account) will be applied during encryption.
The drive or mount point targeted for BitLocker encryption. Use a drive letter (e.g., C:) or a valid path to ensure the correct volume is selected.
Option for specifying the file path or Active Directory account required by certain BitLocker key protector types.
PIN or password used for BitLocker key protectors that require user authentication at startup.
Mark this checkbox to enable BitLocker without forcefully validating the hardware.
Stores a detailed HTML report of the Trusted Platform Module (TPM) status, including Manufacturer, Version, Ready State, and Lockout counters. Populated via automation.
Flag this custom field to exclude the endpoint from "BitLocker Key Backup" solution.
Flag this custom field to exclude the site from "BitLocker Key Backup" solution.
Flag this custom field to exclude the endpoint from the BitLocker Status Audit solution.
Flag this custom field to exclude the site from the BitLocker Status Audit solution.
This is a compound condition that triggers the bitlocker initialization on windows servers.
This is a compound condition that triggers the BitLocker initialization on windows Workstations.
Select Operating System to Enable BitLocker Key Backup. The output of the Key Backup will be saved into the endpoint-level custom field "BitLocker Key Backup Status".
Select the Operating System to Enable BitLocker Status Audit. BitLocker status and recovery key will be stored in the device-level custom field "BitLocker Status and Key".
Automates BitLocker initialization on Windows via Ninja RMM custom fields. Validates parameters, sets mount point, encryption method, key protector, PIN/password, and AD/path, downloads a helper script, executes it, and logs output for auditing.
This dataview shows the complete detail of the TPM of the Windows machines