This article focuses on the scenario where the laptop/desktop has been lost or stolen, and how to make sure that the local data/credentials are secured/encrypted. In this series we assume you are familiar with Configuration Manager and baselines, it is also recommended that the devices run Windows 10 and have at least TPM 1.2. Most of these methods require PowerShell 4.0 or later.

Baselines are a commonly-used method for thinking about and monitoring change in environments. Broadly speaking, you can use baselines in two ways:
1) Characterize change from a known state (and force remediation)
2) Monitoring compliance

In general we prefer to set up two main baselines (a collection of configuration items), one that remediates and one for monitoring/on-boarding.

If you need help or have questions please post at the bottom of the page…

BitLocker

Protection Status
Discovery Script

(Get-BitLockerVolume -MountPoint $env:SystemDrive).ProtectionStatus

Compliance Rule

The value returned by the specified script: Equals On
Report noncompliance if this setting instance is not found: Checked
Noncompliance severity for reports: Warning

Volume Status
Discovery Script

(Get-BitLockerVolume -MountPoint $env:SystemDrive).VolumeStatus

Compliance Rule

The value returned by the specified script: Equals FullyEncrypted
Report noncompliance if this setting instance is not found: Checked
Noncompliance severity for reports: Warning

TPM

TPM Present
Discovery Script

$ErrorActionPreference = "SilentlyContinue"
$TPM = (Get-TPM).TPMPresent
If ($TPM) { Return $true }
Else { Return $false }

Compliance Rule

The value returned by the specified script: Equals True
Report noncompliance if this setting instance is not found: Checked
Noncompliance severity for reports: Warning

Secure Boot

Secure Boot UEFI
Discovery Script

$ErrorActionPreference = "SilentlyContinue"
$SecureBoot = Confirm-SecureBootUEFI
If ($SecureBoot) { Return $True }
Else { Return $False }

Compliance Rule

The value returned by the specified script: Equals True
Report noncompliance if this setting instance is not found: Checked
Noncompliance severity for reports: Warning

Credential Guard

Service Running
Discovery Script

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
if (($DevGuard.SecurityServicesConfigured -eq 1) -and ($DevGuard.SecurityServicesRunning -eq 1)) { Return $True }
Else { Return $False }

Compliance Rule

The value returned by the specified script: Equals True
Report noncompliance if this setting instance is not found: Checked
Noncompliance severity for reports: Warning

Secure Boot Enabled
Discovery Script

$Device = (Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue).AvailableSecurityProperties
If ($Device -contains "2") { return $true }
Else { return $false }

Compliance Rule

The value returned by the specified script: Equals True
Report noncompliance if this setting instance is not found: Checked
Noncompliance severity for reports: Warning

Virtualization Enabled
Discovery Script

$Device = (Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue).AvailableSecurityProperties
If ($Device -contains "1") { return $true }
Else { return $false }

Compliance Rule

The value returned by the specified script: Equals True
Report noncompliance if this setting instance is not found: Checked
Noncompliance severity for reports: Warning