Introduction
Unencrypted endpoints are one of the most common compliance gaps in any environment. A lost laptop with an unencrypted drive is a data breach; a lost laptop with an encrypted drive is a hardware loss.
The Encryption Status monitor checks whether each device's primary partition is encrypted and creates an alert when it isn't, or when encryption is in an unexpected state. It works across Windows (BitLocker), macOS (FileVault), and Linux (LUKS), and it requires no threshold or duration configuration. Add it to a policy and it starts checking.
How It Works
The monitor runs on the agent. It performs a boolean check: is the device's primary partition encrypted, yes or no. There are no thresholds, durations, or scopes to configure.
The check only covers the primary (boot) partition. Secondary drives and additional volumes aren't evaluated. If you need to verify encryption on secondary drives, pair this monitor with a script monitor that checks the specific volumes you care about. See Run Script Monitor.
🖥️ PLATFORM NOTE:
Windows: Checks BitLocker protection status on the boot volume. This reflects whether BitLocker protection is currently on, not just whether the volume has been encrypted. A fully encrypted volume with protection suspended (which happens temporarily during some Windows updates and firmware changes) reports as not encrypted.
macOS: Checks whether FileVault is enabled, using a native macOS check.
Linux: Checks for LUKS encryption on the root partition (
/).
Adding the Monitor
Open the monitor policy that targets the devices you want to check, then click + Add new monitor.
Name and Type
Enter a Name that identifies the monitor's purpose at a glance, like "Disk Encryption Status" or "Workstations - Encryption Compliance."
Set Type to Encryption status.
Once the type is selected, the panel confirms there's nothing else to set: the monitor watches the device's primary partition only, with no configuration needed.
Severity
Set Severity to match how urgently your team treats an unencrypted device:
Information
Warning
Critical
💡 TIP: If your clients have compliance requirements (HIPAA, CMMC, cyber insurance attestations), consider Critical. An unencrypted endpoint isn't degrading performance, but it's an open compliance finding every hour it persists.
Remediation
Attach an automation to run when this alert fires. Click the Select an automation field and choose one, use the link icon to open the selected automation in a new tab, the eye icon to preview it, or the × to clear the selection.
ℹ️ NOTE: Remediations run when the alert is created, not when it resolves.
The natural pairing here is an automation built on the Enable Disk Encryption action, which turns on BitLocker or FileVault and stores the recovery key in Level. That closes the loop: the monitor detects the gap, the automation fixes it, and auto-resolve clears the alert.
⚠️ WARNING: Think before auto-remediating encryption on servers and shared machines. Enabling BitLocker can require a reboot to complete, and any encryption change carries recovery-key implications. For workstations, automatic remediation is usually safe. For servers, a notification-only approach with manual follow-up is often the better call.
Notify Recipients
Two checkboxes control whether the policy's recipients get emailed:
On alert creation sends an email when the alert fires.
On alert resolution sends an email when the alert resolves.
Both are off by default. Recipients are managed at the monitor policy level, in the Recipients section.
Auto-Resolve
The Auto-resolve alert when conditions clear toggle closes the alert automatically once the primary partition reports as encrypted again, whether that's because your remediation automation enabled encryption or a technician fixed it by hand.
It's off by default for this monitor. Turn it on if you're pairing the monitor with automated remediation. Leave it off if you want every encryption finding to stay open until someone reviews it.
FAQ
Why is a device alerting when I know the drive is encrypted? On Windows, the monitor reads BitLocker's protection status, not just the encryption state. A volume that's fully encrypted but has protection suspended (common temporarily during certain Windows updates) reports as not encrypted until protection resumes. If the alert doesn't clear after the update finishes, check
manage-bde -statuson the device.Does this check all drives or just the system drive? Just the primary (boot) partition. Secondary drives and data volumes aren't evaluated on any platform. Use a script monitor if you need coverage beyond the boot volume.
Can it detect third-party encryption like VeraCrypt or Symantec? No. The monitor checks the OS-native mechanisms: BitLocker on Windows, FileVault on macOS, and LUKS on Linux. Devices using third-party full-disk encryption will report as not encrypted.
I added the monitor but some devices never alert and never show as evaluated. Why? Check the agent version. Older agents ignore monitor types they don't recognize, so devices on outdated builds won't run this check at all. Update the agent and the monitor picks them up.
Can the alert fix the problem automatically? Yes. Attach an automation that uses the Enable Disk Encryption action as the remediation. Level enables BitLocker or FileVault and stores the recovery key. Enable auto-resolve so the alert closes once encryption is active.
Who can create and edit this monitor? Technicians with access to the relevant monitor policy. Permission settings are managed in Workspace → Permissions.