In July, Microsoft announced a hotfix for ConfigMgr 2103 that involved an issue with BitLocker. That got me thinking about how BitLocker is an amazing security tool built into Windows that is the darling of every security team that I’ve ever worked with. But, when things go wrong, BitLocker gets on the bad side of users and administrators alike. Microsoft has created several ways to store and manage BitLocker keys, but with those multiple ways comes a management problem. How do you know if your BitLocker keys are really being stored? And, how do you know if your environment meets your BitLocker compliance needs? The answer is the BitLocker Compliance Tool dashboard!
Enter the BitLocker Compliance Tool Dashboard
In Right Click Tools you’ll find the BitLocker Compliance Tool dashboard. It can bring all your BitLocker storage and compliance information together in one place. Once you select an OU or ConfigMgr collection, the left pane will tell you where the keys are currently stored, and the right pane displays the combined compliance numbers based on settings in your environment.
Here’s an example from our demo environment of what the dashboard can look like:
BitLocker Recovery Key Storage
As I mentioned earlier, the left pane of the BitLocker Compliance Tool dashboard shows where keys are being stored. The locations where BitLocker keys can be stored (that are supported in this feature) are:
- Active Directory
- MBAM – Microsoft BitLocker Administration and Monitoring
- Configuration Manager – Sometimes known as ConfigMgr MBAM.
The dashboard will also show “Computers without Stored Keys” which means that a stored key was not found in AD, MBAM, or ConfigMgr MBAM for that device.
You can also see, with the help of this dashboard, if a device has a key stored in multiple places, for example in Active Directory and MBAM.
The right pane of the dashboard shows the compliance based on what the databases for either MBAM or ConfigMgr MBAM have determined. There are three possible compliance outcomes listed, and a fourth combination outcome:
- MBAM Compliant – We’ve looked in the MBAM database and it says that the device is compliant with the MBAM policies.
- CM Compliant – We’ve looked in the ConfigMgr database, and it says that the device is compliant with the ConfigMgr MBAM policies.
- MBAM and CM Compliant – Both the MBAM and ConfigMgr databases say that this device is compliant with the required policies.
- Unknown – Neither the MBAM nor the ConfigMgr databases have any information on compliance for the devices in this section.
The power of Right Click Tools is that it gives YOU the ability to take action right from inside the dashboards. In this case, if you find a computer that you need to know more information about in the BitLocker Compliance Tool dashboard, you can right click on it and use the Security Tools to do more.
Within the Security Tools menu, you can retrieve BitLocker keys that are stored in Active Directory and MBAM, and also open the BitLocker Status tool. That tool directly queries the computer in question and shows important information about its BitLocker status. Check out the screenshot below.
You can then right click inside that tool and find more actions to take regarding BitLocker.
Quick Intel and Remediate
The BitLocker Compliance Tool dashboard is designed to get you quick information about BitLocker in your environment. It also enables you to take action to remediate issues that you may find. Let us know if you have any questions, or if you think the BitLocker Compliance Tool dashboard could help you by reaching out to https://recastsoftware.com/support.