endpoint security

Implementing Disk Encryption with BitLocker

Implements full disk encryption using Microsoft BitLocker on Windows endpoints to protect data at rest from unauthorized access in case of device loss or theft. Use when deploying encryption for compliance requirements, securing mobile workstations, or implementing data protection controls across the enterprise. Activates for requests involving BitLocker encryption, disk encryption, TPM configuration, or data-at-rest protection.

bitlockerdata-protectionencryptionendpointtpmwindows-security
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Encrypting Windows endpoints to protect data at rest for compliance (PCI DSS, HIPAA, GDPR)
  • Deploying BitLocker across enterprise fleet via Intune, SCCM, or GPO
  • Configuring TPM-based encryption with PIN or USB startup key for enhanced security
  • Managing BitLocker recovery keys in Active Directory or Azure AD

Do not use this skill for Linux disk encryption (use LUKS/dm-crypt) or macOS (use FileVault).

Prerequisites

  • Windows 10/11 Pro, Enterprise, or Education edition
  • TPM 2.0 chip (recommended; TPM 1.2 supported with limitations)
  • UEFI firmware with Secure Boot enabled (recommended)
  • Separate system partition (200 MB minimum, created automatically by Windows installer)
  • Active Directory or Azure AD for recovery key escrow

Workflow

Step 1: Verify TPM and System Requirements

# Check TPM status
Get-Tpm
# ManufacturerId, ManufacturerVersion, TpmPresent, TpmReady, TpmEnabled
 
# Check TPM version (2.0 required for best compatibility)
(Get-WmiObject -Namespace "root\cimv2\security\microsofttpm" -Class Win32_Tpm).SpecVersion
 
# Check UEFI/Secure Boot
Confirm-SecureBootUEFI
# Returns True if Secure Boot is enabled
 
# Check BitLocker readiness
$vol = Get-BitLockerVolume -MountPoint "C:"
$vol.VolumeStatus  # Should be "FullyDecrypted"
$vol.ProtectionStatus  # Should be "Off"

Step 2: Configure BitLocker GPO Settings

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption
 
Operating System Drives:
  - Require additional authentication at startup: Enabled
    - Allow BitLocker without compatible TPM: Disabled (enforce TPM)
    - Configure TPM startup: Allow TPM
    - Configure TPM startup PIN: Allow startup PIN with TPM
    - Configure TPM startup key: Allow startup key with TPM
 
  - Choose how BitLocker-protected OS drives can be recovered: Enabled
    - Allow data recovery agent: True
    - Configure storage of recovery information to AD DS: Enabled
    - Save recovery info to AD DS for OS drives: Store recovery passwords and key packages
    - Do not enable BitLocker until recovery information is stored: Enabled
 
  - Choose drive encryption method and cipher strength:
    - OS drives: XTS-AES 256-bit (Windows 10 1511+)
    - Fixed drives: XTS-AES 256-bit
    - Removable drives: AES-CBC 256-bit (for cross-platform compatibility)
 
Fixed Data Drives:
  - Choose how BitLocker-protected fixed drives can be recovered: Enabled
    - Store recovery passwords in AD DS: Enabled
 
Removable Data Drives:
  - Control use of BitLocker on removable drives: Enabled
  - Configure use of passwords for removable drives: Require complexity

Step 3: Enable BitLocker - Command Line

# Enable BitLocker with TPM-only protector (transparent to user)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
  -TpmProtector -SkipHardwareTest
 
# Enable BitLocker with TPM + PIN (recommended for laptops)
$pin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
  -TpmAndPinProtector -Pin $pin
 
# Add recovery password protector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
# Backup recovery key to Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" `
  -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[1].KeyProtectorId
 
# Encrypt fixed data drives
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 `
  -RecoveryPasswordProtector -AutoUnlockEnabled

Step 4: Deploy via Intune (Enterprise)

Intune → Endpoint Security → Disk encryption → Create Profile
 
Platform: Windows 10 and later
Profile: BitLocker
 
Settings:
  BitLocker base settings:
    - Encryption for operating system drives: Require
    - Encryption for fixed data drives: Require
    - Encryption for removable data drives: Require
 
  Operating system drive settings:
    - Additional authentication at startup: Require
    - TPM startup: Allowed
    - TPM startup PIN: Required (for high-security endpoints)
    - Encryption method: XTS-AES 256-bit
    - Recovery: Escrow to Azure AD
 
  Fixed drive settings:
    - Encryption method: XTS-AES 256-bit
    - Recovery: Escrow to Azure AD
 
  Assign to: All managed Windows devices (or specific groups)

Step 5: Manage Recovery Keys

# View recovery key on local system
(Get-BitLockerVolume -MountPoint "C:").KeyProtector |
  Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} |
  Select-Object KeyProtectorId, RecoveryPassword
 
# Retrieve recovery key from Active Directory (requires RSAT)
Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} `
  -SearchBase "CN=COMPUTER01,OU=Workstations,DC=corp,DC=example,DC=com" `
  -Properties msFVE-RecoveryPassword |
  Select-Object -ExpandProperty msFVE-RecoveryPassword
 
# Retrieve recovery key from Azure AD
# Azure Portal → Azure AD → Devices → [device] → BitLocker keys
# Or via Microsoft Graph API:
# GET /devices/{id}/bitlockerRecoveryKeys

Step 6: Monitor Encryption Status

# Check encryption status across fleet
manage-bde -status C:
 
# Expected output for encrypted drive:
#   Conversion Status: Fully Encrypted
#   Percentage Encrypted: 100.0%
#   Encryption Method: XTS-AES 256
#   Protection Status: Protection On
#   Key Protectors: TPM, Numerical Password
 
# PowerShell compliance check
$vol = Get-BitLockerVolume -MountPoint "C:"
if ($vol.ProtectionStatus -eq "On" -and $vol.VolumeStatus -eq "FullyEncrypted") {
    Write-Host "COMPLIANT: BitLocker enabled and fully encrypted"
} else {
    Write-Host "NON-COMPLIANT: BitLocker status - Protection: $($vol.ProtectionStatus), Volume: $($vol.VolumeStatus)"
}

Key Concepts

Term Definition
TPM (Trusted Platform Module) Hardware security chip that stores BitLocker encryption keys and provides measured boot integrity
XTS-AES 256 Encryption cipher used by BitLocker; XTS mode provides better protection for disk encryption than CBC
Recovery Key 48-digit numerical password used to unlock BitLocker-encrypted drive when TPM authentication fails
Key Protector Method used to unlock BitLocker (TPM, TPM+PIN, recovery password, startup key, smart card)
Used Space Only Encryption Encrypts only sectors containing data; faster initial encryption but may leave remnant data in free space
Full Disk Encryption Encrypts entire volume including free space; slower but more secure for drives that previously contained data

Tools & Systems

  • BitLocker (built-in): Windows full disk encryption feature
  • manage-bde.exe: Command-line BitLocker management tool
  • BitLocker Recovery Password Viewer: RSAT tool for viewing recovery keys in Active Directory
  • MBAM (Microsoft BitLocker Administration and Monitoring): Enterprise BitLocker management (legacy, replaced by Intune)
  • Microsoft Intune: Cloud-based BitLocker policy deployment and recovery key management

Common Pitfalls

  • Not escrowing recovery keys before encryption: If recovery keys are not saved to AD/Azure AD before encryption, they may be permanently lost if the TPM fails.
  • Using TPM-only without PIN: TPM-only mode is transparent but vulnerable to cold boot attacks and evil maid attacks. Add a startup PIN for laptops leaving the office.
  • Encrypting used space only on repurposed drives: If a drive previously contained sensitive data, "used space only" encryption leaves deleted data unencrypted in free space. Use full disk encryption for repurposed drives.
  • Forgetting removable drives: USB drives and external disks are common data loss vectors. Enforce BitLocker To Go for removable media.
  • No pre-provisioning for SCCM deployments: Pre-provision BitLocker during OSD task sequence to encrypt before OS deployment, avoiding the lengthy post-deployment encryption process.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.6 KB

API Reference: Implementing Disk Encryption with BitLocker

manage-bde CLI

# Check status
manage-bde -status C:
 
# Enable BitLocker with TPM
manage-bde -on C: -RecoveryPassword -EncryptionMethod AES256
 
# Backup recovery key to AD
manage-bde -protectors -adbackup C: -ID {protector-id}
 
# Lock/unlock
manage-bde -lock D:
manage-bde -unlock D: -RecoveryPassword 123456-...

PowerShell BitLocker Cmdlets

# Get BitLocker volume
Get-BitLockerVolume -MountPoint "C:"
 
# Enable with TPM + PIN
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 `
  -TpmAndPinProtector -Pin (ConvertTo-SecureString "1234" -AsPlainText -Force)
 
# Add recovery password
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
# Backup to AD
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $id

Compliance Checks

Check Severity Requirement
BitLocker enabled CRITICAL All OS drives
AES-256 encryption MEDIUM FIPS/enterprise
TPM protector HIGH Hardware-backed
Recovery key escrowed HIGH AD DS or Azure AD
Full disk encrypted MEDIUM Not used-space only

Microsoft Graph API (Intune)

import requests
headers = {"Authorization": "Bearer <token>"}
resp = requests.get(
    "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices"
    "?$select=deviceName,isEncrypted",
    headers=headers)

References

standards.md1.8 KB

Standards & References - Implementing Disk Encryption with BitLocker

Primary Standards

NIST SP 800-111 - Guide to Storage Encryption Technologies

FIPS 140-2/3 - Security Requirements for Cryptographic Modules

  • Publisher: NIST
  • Relevance: BitLocker uses FIPS 140-2 validated cryptographic modules when configured in FIPS-compliant mode

Compliance Mappings

Framework Requirement BitLocker Coverage
PCI DSS 4.0 3.5.1 - Render PAN unreadable in storage BitLocker full disk encryption
HIPAA 164.312(a)(2)(iv) - Encryption/decryption BitLocker protects ePHI at rest
GDPR Article 32(1)(a) - Encryption of personal data BitLocker for data-at-rest protection
NIST 800-53 SC-28 Protection of Information at Rest BitLocker encryption
NIST 800-171 3.13.16 - Confidentiality of CUI at rest BitLocker on CUI systems
ISO 27001 A.10.1.1 - Cryptographic controls policy BitLocker implementation

Microsoft References

workflows.md1.9 KB

Workflows - Implementing Disk Encryption with BitLocker

Workflow 1: Enterprise BitLocker Deployment

[Pre-deployment assessment]

    ├── Verify TPM 2.0 across fleet
    ├── Confirm UEFI/Secure Boot
    ├── Plan recovery key escrow (AD DS or Azure AD)


[Configure GPO/Intune policy]

    ├── Set encryption method (XTS-AES 256)
    ├── Configure key protectors (TPM + PIN for laptops, TPM for desktops)
    ├── Enable recovery key escrow


[Pilot deployment (test group)]

    ├── Verify encryption completes without errors
    ├── Test recovery key retrieval
    ├── Verify no boot issues


[Production rollout (phased)]


[Monitor encryption status via Intune/SCCM reports]


[Verify 100% coverage, address failures]

Workflow 2: BitLocker Recovery Process

[User locked out (BitLocker recovery screen)]


[User provides Recovery Key ID to helpdesk]


[Helpdesk retrieves recovery key]

    ├── AD DS: RSAT BitLocker Recovery Password Viewer
    ├── Azure AD: Azure Portal → Devices → BitLocker keys
    ├── Intune: Intune Portal → Devices → Recovery keys


[User enters 48-digit recovery key]


[Investigate why recovery was triggered]

    ├── BIOS/firmware update ──► [Expected, no action]
    ├── TPM failure ──► [Replace TPM or re-encrypt]
    ├── Boot configuration change ──► [Review change, re-seal TPM]
    └── Potential tampering ──► [Security investigation]

Workflow 3: Key Rotation

[Quarterly key rotation policy]


[Generate new recovery password]


[Backup new key to AD/Azure AD]


[Remove old recovery password protector]


[Verify new key works in test recovery]

Scripts 2

agent.py6.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for auditing and managing BitLocker disk encryption across endpoints."""

import json
import argparse
import subprocess
from datetime import datetime


def get_bitlocker_status():
    """Get BitLocker status on local machine via manage-bde."""
    try:
        result = subprocess.run(
            ["manage-bde", "-status"], capture_output=True, text=True, timeout=30)
        volumes = []
        current = {}
        for line in result.stdout.splitlines():
            line = line.strip()
            if line.startswith("Volume"):
                if current:
                    volumes.append(current)
                current = {"volume": line}
            elif ":" in line:
                key, _, value = line.partition(":")
                current[key.strip()] = value.strip()
        if current:
            volumes.append(current)
        return volumes
    except (subprocess.TimeoutExpired, FileNotFoundError):
        return []


def parse_bitlocker_report(report_path):
    """Parse BitLocker compliance report (CSV or JSON)."""
    entries = []
    if report_path.endswith(".json"):
        with open(report_path) as f:
            entries = json.load(f)
    else:
        import csv
        with open(report_path, newline="", encoding="utf-8-sig") as f:
            entries = list(csv.DictReader(f))
    return entries


def audit_bitlocker_compliance(devices):
    """Audit BitLocker compliance across fleet."""
    findings = []
    for device in devices:
        hostname = device.get("hostname", device.get("ComputerName", ""))
        protection = device.get("protection_status", device.get("ProtectionStatus", ""))
        encryption = device.get("encryption_method", device.get("EncryptionMethod", ""))
        key_protector = device.get("key_protector", device.get("KeyProtector", ""))
        recovery_key = device.get("recovery_key_escrowed",
                                  device.get("RecoveryKeyEscrowed", ""))
        if "off" in str(protection).lower() or protection == "0":
            findings.append({
                "hostname": hostname, "issue": "bitlocker_disabled",
                "severity": "CRITICAL",
            })
        if encryption and "aes" not in str(encryption).lower():
            findings.append({
                "hostname": hostname, "issue": "weak_encryption_method",
                "value": encryption, "severity": "HIGH",
            })
        if "128" in str(encryption):
            findings.append({
                "hostname": hostname, "issue": "aes_128_not_256",
                "severity": "MEDIUM",
                "recommendation": "Upgrade to AES-256",
            })
        if not key_protector or "tpm" not in str(key_protector).lower():
            findings.append({
                "hostname": hostname, "issue": "no_tpm_protector",
                "severity": "HIGH",
            })
        if str(recovery_key).lower() in ("no", "false", "0", ""):
            findings.append({
                "hostname": hostname, "issue": "recovery_key_not_escrowed",
                "severity": "HIGH",
                "recommendation": "Escrow recovery key to Active Directory",
            })
    return findings


def generate_gpo_recommendations():
    """Generate Group Policy recommendations for BitLocker."""
    return {
        "Computer Configuration": {
            "path": "Administrative Templates > Windows Components > BitLocker Drive Encryption",
            "settings": [
                {"name": "Choose drive encryption method (OS)",
                 "value": "AES-256", "policy": "Enabled"},
                {"name": "Require additional authentication at startup",
                 "value": "Allow BitLocker without compatible TPM: Disabled",
                 "policy": "Enabled"},
                {"name": "Choose how BitLocker-protected OS drives can be recovered",
                 "value": "Save to AD DS, Do not enable until stored",
                 "policy": "Enabled"},
                {"name": "Enforce drive encryption type on OS drives",
                 "value": "Full encryption", "policy": "Enabled"},
            ],
        },
    }


def calculate_compliance_metrics(devices, findings):
    """Calculate fleet encryption compliance metrics."""
    total = len(devices)
    encrypted = total - sum(1 for f in findings if f["issue"] == "bitlocker_disabled")
    strong_enc = encrypted - sum(1 for f in findings if f["issue"] in
                                  ("weak_encryption_method", "aes_128_not_256"))
    escrowed = total - sum(1 for f in findings if f["issue"] == "recovery_key_not_escrowed")
    return {
        "total_devices": total,
        "encrypted": encrypted,
        "encryption_rate": round(encrypted / total * 100, 1) if total else 0,
        "strong_encryption": strong_enc,
        "recovery_keys_escrowed": escrowed,
        "escrow_rate": round(escrowed / total * 100, 1) if total else 0,
    }


def main():
    parser = argparse.ArgumentParser(description="BitLocker Disk Encryption Agent")
    parser.add_argument("--report", help="BitLocker report CSV/JSON")
    parser.add_argument("--local", action="store_true", help="Check local machine")
    parser.add_argument("--output", default="bitlocker_audit_report.json")
    parser.add_argument("--action", choices=["audit", "local", "gpo", "full"], default="full")
    args = parser.parse_args()

    report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}

    if args.action in ("local", "full") and args.local:
        status = get_bitlocker_status()
        report["findings"]["local_status"] = status
        print(f"[+] Local volumes: {len(status)}")

    if args.action in ("audit", "full") and args.report:
        devices = parse_bitlocker_report(args.report)
        findings = audit_bitlocker_compliance(devices)
        metrics = calculate_compliance_metrics(devices, findings)
        report["findings"]["compliance_audit"] = findings
        report["findings"]["metrics"] = metrics
        print(f"[+] Devices: {metrics['total_devices']}, Encrypted: {metrics['encryption_rate']}%")

    if args.action in ("gpo", "full"):
        gpo = generate_gpo_recommendations()
        report["findings"]["gpo_recommendations"] = gpo
        print("[+] GPO recommendations generated")

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"[+] Report saved to {args.output}")


if __name__ == "__main__":
    main()
process.py6.2 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
BitLocker Compliance Checker

Checks BitLocker encryption status across endpoints and generates
compliance reports for audit purposes.
"""

import json
import subprocess
import sys
import os
import csv
from datetime import datetime


def check_bitlocker_status() -> dict:
    """Check BitLocker status on local Windows endpoint."""
    ps_cmd = """
    $volumes = Get-BitLockerVolume
    $results = @()
    foreach ($vol in $volumes) {
        $protectors = @()
        foreach ($kp in $vol.KeyProtector) {
            $protectors += @{
                Type = $kp.KeyProtectorType.ToString()
                Id = $kp.KeyProtectorId
            }
        }
        $results += @{
            MountPoint = $vol.MountPoint
            VolumeStatus = $vol.VolumeStatus.ToString()
            ProtectionStatus = $vol.ProtectionStatus.ToString()
            EncryptionMethod = $vol.EncryptionMethod.ToString()
            EncryptionPercentage = $vol.EncryptionPercentage
            VolumeType = $vol.VolumeType.ToString()
            KeyProtectors = $protectors
            AutoUnlockEnabled = $vol.AutoUnlockEnabled
            AutoUnlockKeyStored = $vol.AutoUnlockKeyStored
        }
    }
    $tpm = Get-Tpm
    @{
        Hostname = $env:COMPUTERNAME
        Volumes = $results
        TPM = @{
            Present = $tpm.TpmPresent
            Ready = $tpm.TpmReady
            Enabled = $tpm.TpmEnabled
            Activated = $tpm.TpmActivated
        }
    } | ConvertTo-Json -Depth 4
    """

    try:
        result = subprocess.run(
            ["powershell", "-NoProfile", "-Command", ps_cmd],
            capture_output=True, text=True, timeout=30,
        )
        if result.returncode == 0 and result.stdout.strip():
            return json.loads(result.stdout)
        return {"error": result.stderr or "Failed to check BitLocker status"}
    except FileNotFoundError:
        return {"error": "PowerShell not available (requires Windows)"}
    except subprocess.TimeoutExpired:
        return {"error": "Command timed out"}
    except json.JSONDecodeError as e:
        return {"error": f"Parse error: {e}"}


def assess_compliance(status: dict) -> dict:
    """Assess BitLocker compliance against security baseline."""
    findings = {
        "hostname": status.get("Hostname", "unknown"),
        "overall_compliant": True,
        "tpm_status": "compliant",
        "volume_findings": [],
    }

    tpm = status.get("TPM", {})
    if not tpm.get("Present") or not tpm.get("Ready"):
        findings["tpm_status"] = "non-compliant"
        findings["overall_compliant"] = False

    for vol in status.get("Volumes", []):
        vol_finding = {
            "mount_point": vol["MountPoint"],
            "compliant": True,
            "issues": [],
        }

        if vol["VolumeStatus"] != "FullyEncrypted":
            vol_finding["compliant"] = False
            vol_finding["issues"].append(f"Not fully encrypted: {vol['VolumeStatus']}")

        if vol["ProtectionStatus"] != "On":
            vol_finding["compliant"] = False
            vol_finding["issues"].append(f"Protection not enabled: {vol['ProtectionStatus']}")

        if vol["EncryptionMethod"] not in ("XtsAes256", "XtsAes128"):
            vol_finding["issues"].append(f"Weak encryption method: {vol['EncryptionMethod']}")

        protector_types = [kp["Type"] for kp in vol.get("KeyProtectors", [])]
        has_recovery = "RecoveryPassword" in protector_types or "NumericalPassword" in protector_types
        if not has_recovery:
            vol_finding["compliant"] = False
            vol_finding["issues"].append("No recovery password protector configured")

        has_tpm = any(t in protector_types for t in ["Tpm", "TpmPin", "TpmPinStartupKey"])
        if vol["VolumeType"] == "OperatingSystem" and not has_tpm:
            vol_finding["compliant"] = False
            vol_finding["issues"].append("OS volume missing TPM protector")

        if not vol_finding["compliant"]:
            findings["overall_compliant"] = False

        findings["volume_findings"].append(vol_finding)

    return findings


def generate_report(status: dict, compliance: dict, output_path: str) -> None:
    """Generate BitLocker compliance report."""
    report = {
        "report_generated": datetime.utcnow().isoformat() + "Z",
        "hostname": status.get("Hostname", "unknown"),
        "overall_compliance": "COMPLIANT" if compliance["overall_compliant"] else "NON-COMPLIANT",
        "tpm_status": compliance["tpm_status"],
        "tpm_details": status.get("TPM", {}),
        "volumes": [],
    }

    for vol, finding in zip(status.get("Volumes", []), compliance["volume_findings"]):
        report["volumes"].append({
            "mount_point": vol["MountPoint"],
            "status": vol["VolumeStatus"],
            "protection": vol["ProtectionStatus"],
            "encryption_method": vol["EncryptionMethod"],
            "encryption_percent": vol["EncryptionPercentage"],
            "key_protectors": [kp["Type"] for kp in vol.get("KeyProtectors", [])],
            "compliant": finding["compliant"],
            "issues": finding["issues"],
        })

    with open(output_path, "w", encoding="utf-8") as f:
        json.dump(report, f, indent=2)


if __name__ == "__main__":
    output_dir = sys.argv[1] if len(sys.argv) > 1 else "."

    print("Checking BitLocker status...")
    status = check_bitlocker_status()

    if "error" in status:
        print(f"Error: {status['error']}")
        print("This tool requires Windows with BitLocker support.")
        sys.exit(1)

    print("Assessing compliance...")
    compliance = assess_compliance(status)

    report_path = os.path.join(output_dir, "bitlocker_compliance.json")
    generate_report(status, compliance, report_path)
    print(f"Compliance report: {report_path}")

    print(f"\n--- BitLocker Compliance ---")
    print(f"Hostname: {compliance['hostname']}")
    print(f"Overall: {'COMPLIANT' if compliance['overall_compliant'] else 'NON-COMPLIANT'}")
    print(f"TPM: {compliance['tpm_status']}")

    for vf in compliance["volume_findings"]:
        status_icon = "PASS" if vf["compliant"] else "FAIL"
        print(f"\n  [{status_icon}] {vf['mount_point']}")
        for issue in vf["issues"]:
            print(f"    - {issue}")

Assets 1

template.mdtext/markdown · 1.2 KB
Keep exploring