ConfigMgr Console
BitLocker and TPM Status Dashboard
Topics: ConfigMgr Console
The Problem: No Built-In Bitlocker or TPM Status Reports
It goes without saying that companies manage a lot of data and this data must be kept secure at all times. Who wants to tell the CTO or President of your organization that the reason they are in the news or lost a big deal is because a laptop was stolen with important info on it? How can you guarantee that a stolen laptop won’t expose this information to the world? BitLocker of course!
BitLocker and TPM go hand-in-hand, so you need to ensure that both are enabled. How can you tell, though, what laptops are using BitLocker and if it is enabled? What about TPM? Not only do you have to ensure that both were setup correctly to begin with, but sometimes when testing or troubleshooting problems, admins turn one or the other off and forget to turn them back on.
Fortunately, with Microsoft Configuration Manager (ConfigMGr) Current Branch, you can inventory the state of both BitLocker and TPM. Unfortunately, there aren’t any built-in reports for you to run in order to review this data.
The Solution: BitLocker and TPM Status Dashboard
With Endpoint Insight’s BitLocker and TPM Status dashboard you can quickly see the number of computers that are completely protected. In addition, you can see how many computers either need BitLocker enabled or have a TPM issue.
Here’s a breakdown of each state by color:
- Green = Protected
- Yellow = BitLocker is Not Enabled on All Drives
- Orange = BitLocker is Turned Off
- Pink = BitLocker is Not Enabled
- Red = TPM Issue
Protected means that the system is fully encrypted with BitLocker and TPM is correct.
BitLocker is Not Enabled on All Drives means that TPM is setup and ready to use, but a computer has more than one drive within the system where at least one of the drives is not encrypted with BitLocker. Generally, the solution is to enable BitLocker on all drives.
BitLocker is Turned Off means that TPM is setup and ready to use, but BitLocker is not turned on. The solution is to turn on BitLocker on all drives.
BitLocker is Not Enabled means that TPM is setup and ready to use and BitLocker is configured to be used, but as may be the case with servers, the BitLocker feature might not be installed (enabled). The solution is to install and configure BitLocker on all drives.
TPM Issue means TPM is either not installed on the computer or it is not enabled within the BIOS. The solution varies depending on the problem, but in some cases it could mean a hardware upgrade, i.e. replacing old computers with ones where TPM is installed.
As mentioned earlier, this dashboard leverages the inventory information of both TPM’s and BitLocker’s state from ConfigMGr current branch.
Endpoint Insights Reporting – BitLocker and TPM Status Dashboard
The BitLocker and TPM Status dashboard is found within Endpoint Insights Reporting’s security category. This category of dashboards and reports provides you with all-important information about various security issues within your ConfigMgr environment, such as BIOS and TLS settings.
The full set of BitLocker and TPM reports includes:
- BitLocker and TPM Status Dashboard
- List of Computers by BitLocker and TPM Status
- Computer BitLocker and TPM Details
List of Computers by BitLocker and TPM Status
This report provides a list of computers by a specified BitLocker and TPM state. You can drill through from this report to the Computer BitLocker and TPM Details report.
Computer BitLocker and TPM Details
This report is divided into three major sections. The first section tells you about the computer itself.
The second section tells you about the TPM status. This section is collapsed by default. Simply click on the text in order to expand the section. A green dot means that TPM has this state. Whereas a gray dot means that the TPM doesn’t have this state. For more details about each state, please see the Microsoft documentation.
The last section displays all of the computer’s drives along with each one’s BitLocker status. This section is also collapsed by default, so click on the text in order to expand it.
Conclusion: BitLocker and TPM Status Dashboard
Would you find it useful to know the BitLocker and TPM status for all of your computers in one report? Then check out Endpoint Insights, a powerful tool that brings additional data and advanced reporting to your ConfigMgr environment.
Are you looking for another ConfigMgr report? Do you find that ConfigMgr reporting is difficult? Reporting shouldn’t be hard and with Endpoint Insights Reporting’s 150+ reports, sorted into 6 main categories with corresponding subcategories, we make it easy for you!
We can’t possibly list all of the reports found in Endpoint Insights Reporting, but here are the 6 main categories:
Do you have an idea for a report set that you would like us to create? Submit them to our Ideas Page or drop us a line on Twitter!