To ensure Bitlocker compliance, a configuration baseline is setup in SCCM to continuously check Bitlocker compliance and re-mediate any clients where encryption may have been disabled or failed.
The following was configured in SCCM.
Created a new configuration item under Assets and Compliance as follows:
NOTE: You need to add Powershell to the discovery section to detect Bitlocker statuses. The remediation section is left blank as this automation is handled by a separate deployment.
Saved configuration item.
Created configuration baseline as follows:
Deployed configuration baseline to 'Windows 10 - All Staff' collection with the following settings:
A Powershell based package is deployed to the resulting non-compliance collection to remediate any clients where Bitlocker may have failed or been disabled.