This article focuses on the scenario where the laptop/desktop has been lost or stolen, and how to make sure that the local data/credentials are secured/encrypted. In this series we assume you are familiar with Configuration Manager and baselines, it is also recommended that the devices run Windows 10 and have at least TPM 1.2. Most of these methods require PowerShell 4.0 or later.

Baselines are a commonly-used method for thinking about and monitoring change in environments. Broadly speaking, you can use baselines in two ways:
1) Characterize change from a known state (and force remediation)
2) Monitoring compliance

In general we prefer to set up two main baselines (a collection of configuration items), one that remediates and one for monitoring/on-boarding.

If you need help or have questions please post at the bottom of the page…

BitLocker

Protection Status
Discovery Script

Compliance Rule

Volume Status
Discovery Script

Compliance Rule

TPM

TPM Present
Discovery Script

Compliance Rule

Secure Boot

Secure Boot UEFI
Discovery Script

Compliance Rule

Credential Guard

Service Running
Discovery Script

Compliance Rule

Secure Boot Enabled
Discovery Script

Compliance Rule

Virtualization Enabled
Discovery Script

Compliance Rule