BitLocker Audit & Reports
Zecurit provides real-time visibility into the BitLocker encryption status of every managed Windows device. The Reports module lets IT administrators monitor compliance coverage, review TPM hardware readiness, track recovery key storage, and export audit-ready data, all from a single dashboard without touching individual machines.
This page explains the available BitLocker report types, how to access them, and how to use them for internal audits and regulatory compliance submissions.
Accessing BitLocker Reports
To access BitLocker reporting in Zecurit, click Reports in the left-hand navigation bar. Under the Security category, you will find the following BitLocker-specific reports: BitLocker Encryption Status, TPM Status Report, and Recovery Key Audit Log. Each report can be filtered by device group, department, OS version, or date range, and can be exported to CSV or PDF format.
BitLocker Details Report
The BitLocker Details report provides a complete, device-by-device view of encryption coverage across your managed fleet. For each device, the report shows:
Device name and assigned user. Encryption state (Encrypted, Encryption in Progress, Suspended, Not Encrypted). The encryption method in use (AES-128, AES-256, XTS-AES 128, XTS-AES 256). The date encryption was first applied and the date of the last policy check-in. The assigned BitLocker profile name. Whether a recovery key is stored in Active Directory.
This report is your primary tool for demonstrating encryption compliance to auditors. It answers the core audit question: “Can you prove that all devices containing sensitive data are encrypted?”
Filtering and Exporting the Encryption Status Report
Use the filter controls at the top of the report to narrow results by device group, encryption state, or date range. For example, filter by “Not Encrypted” to immediately identify all devices that are out of compliance. Filter by device group to generate a department-specific compliance report.
To export, click the Export button and choose your format. CSV exports are useful for analysis in Excel or for importing into GRC (Governance, Risk, and Compliance) platforms. PDF exports are formatted for direct submission to auditors or security teams.
TPM Status Report
The TPM Status report gives you visibility into the hardware-level security readiness of your managed devices. For each device, it shows:
Whether a TPM chip is present. The TPM version (1.2 or 2.0). Whether the TPM is enabled and activated in firmware. The TPM manufacturer and firmware version.
This report is useful for planning hardware refreshes, identifying devices that cannot support TPM-based authentication, and ensuring your fleet meets Windows 11 compatibility requirements (which mandate TPM 2.0).
Devices that appear in the TPM report with no TPM or with TPM 1.2 should be evaluated individually to determine whether passphrase-based encryption is acceptable, or whether a hardware upgrade is warranted.
Recovery Key Audit Log
The Recovery Key Audit Log records every instance in which a BitLocker recovery key was viewed or retrieved through the Zecurit console. For each access event, the log shows:
The device name and serial number. The Zecurit administrator who accessed the key. The date and time of access. The reason for access (if recorded). The recovery key identifier.
This log is critical for organizations subject to data access auditing requirements. It provides a chain-of-custody record for recovery key access, which auditors often require to confirm that access to encrypted data is controlled and monitored.
Setting Up Compliance Alerts
In addition to on-demand reports, Zecurit can send automated alerts when a device falls out of BitLocker compliance. To configure alerts, navigate to Alerts in the left-hand navigation and create a new rule with the condition “BitLocker status is Not Encrypted.” You can configure the alert to notify specific administrators by email when a device in a target group loses encryption coverage.
This ensures that your compliance posture is maintained continuously, not just at the time of your last audit.
Scheduled Report Delivery
Zecurit supports scheduled report delivery. You can configure the BitLocker Encryption Status report to be emailed to your security team, compliance officer, or auditor on a daily, weekly, or monthly basis. This is particularly useful for organizations with continuous compliance monitoring requirements under frameworks like SOC 2 Type II or NIS2.