This article focuses on the scenario where the laptop/desktop has been lost or stolen, and how to make sure that the local data/credentials are secured/encrypted. In this series we assume you are familiar with Configuration Manager and baselines, it is also recommended that the devices run Windows 10 and have at least TPM 1.2. Most of these methods require PowerShell 4.0 or later.
Baselines are a commonly-used method for thinking about and monitoring change in environments. Broadly speaking, you can use baselines in two ways:
1) Characterize change from a known state (and force remediation)
2) Monitoring compliance
In general we prefer to set up two main baselines (a collection of configuration items), one that remediates and one for monitoring/on-boarding.
If you need help or have questions please post at the bottom of the page…
BitLocker
Protection Status
Discovery Script
(Get-BitLockerVolume -MountPoint $env:SystemDrive).ProtectionStatus
Compliance Rule
The value returned by the specified script: Equals On Report noncompliance if this setting instance is not found: Checked Noncompliance severity for reports: Warning
Volume Status
Discovery Script
(Get-BitLockerVolume -MountPoint $env:SystemDrive).VolumeStatus
Compliance Rule
The value returned by the specified script: Equals FullyEncrypted Report noncompliance if this setting instance is not found: Checked Noncompliance severity for reports: Warning
TPM
TPM Present
Discovery Script
$ErrorActionPreference = "SilentlyContinue"
$TPM = (Get-TPM).TPMPresent
If ($TPM) { Return $true }
Else { Return $false } Compliance Rule
The value returned by the specified script: Equals True Report noncompliance if this setting instance is not found: Checked Noncompliance severity for reports: Warning
Secure Boot
Secure Boot UEFI
Discovery Script
$ErrorActionPreference = "SilentlyContinue"
$SecureBoot = Confirm-SecureBootUEFI
If ($SecureBoot) { Return $True }
Else { Return $False } Compliance Rule
The value returned by the specified script: Equals True Report noncompliance if this setting instance is not found: Checked Noncompliance severity for reports: Warning
Credential Guard
Service Running
Discovery Script
$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
if (($DevGuard.SecurityServicesConfigured -eq 1) -and ($DevGuard.SecurityServicesRunning -eq 1)) { Return $True }
Else { Return $False } Compliance Rule
The value returned by the specified script: Equals True Report noncompliance if this setting instance is not found: Checked Noncompliance severity for reports: Warning
Secure Boot Enabled
Discovery Script
$Device = (Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue).AvailableSecurityProperties
If ($Device -contains "2") { return $true }
Else { return $false } Compliance Rule
The value returned by the specified script: Equals True Report noncompliance if this setting instance is not found: Checked Noncompliance severity for reports: Warning
Virtualization Enabled
Discovery Script
$Device = (Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue).AvailableSecurityProperties
If ($Device -contains "1") { return $true }
Else { return $false } Compliance Rule
The value returned by the specified script: Equals True Report noncompliance if this setting instance is not found: Checked Noncompliance severity for reports: Warning
