Check BitLocker via SCA in Windows 11

[Guilherme Cardoso]

Hello Everyone,
I am checking if BitLocker is enabled in a custom SCA Policy. Is it possible?´´´
id: 261374
    title: "Ensure Bitlocker is enabled"
    description: ""
    rationale: ""
    remediation: ""
    condition: any
    rules:
      - 'c:manage-bde.exe -status -> r:Protection Status:(.*) Protection On'
´´´I know that manage-bde.exe is an Administrator command.

[Jeremiah Kolawole]

Hello Guilherme,

Yes, you can customize your SCA to include checks for BitLocker activation, however it is advisable to use the GPO and registry keys so as to achieve easy execution of the SCA as running the manage-bde command will return an error - "Check not applicable due to:Failed to run command 'manage-bde -status'. Returned code 1734693408".

You can try the below to set this up, go to your GPO and enable the setting you prefer.

For this demo I will change the last setting - "Configure TPM startup key and PIN" and select "Require Startup key and pin with TPM"

Now, the check passes - 

This is the rule I created, you can modify it to fit what you want to achieve

  # 2.3 Ensure Bitlocker is Enabled.

  - id: 15500

    title: "Ensure Bitlocker is Enabled."

    description: "null."

    rationale: "null."

    remediation: "null."

    compliance:

      - cis: ["2.3"]

    condition: all

    rules:

      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE'

      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE -> UseTPMKeyPIN'

      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE -> UseTPMKeyPIN -> 1'

Since this is a custom check, you will have to populate the other fields in the check with details you desire.

I hope this helps