When an assessor asks, “Show me your proof,” they’re not asking if you meant to encrypt laptops. They want evidence that encryption is on, it stays on, and it covers the devices that touch CUI.
In this guide, I’ll show how I package CMMC BitLocker evidence using Microsoft Intune reports in a way that holds up in a CMMC Level 2 assessment. I’ll also share file naming, folder structure, and the exact export fields I like to highlight so the story is easy to follow.
I’m writing this for MSPs and IT admins who wear five hats at once, especially in Small Business IT. Let’s make the evidence clean, repeatable, and low-drama.
What “good” CMMC BitLocker evidence looks like to an assessor
For CMMC Level 2, I treat BitLocker evidence like a short court case. Each artifact should answer one question, and together they should tell a complete story: scope, configuration, status, and key management.
Most assessors will anchor on the CMMC Level 2 assessment guidance, then trace your artifacts back to the practices mapped to NIST SP 800-171. I keep the official guide bookmarked so I can match what I export to what they expect to see in an interview. The current reference I use is the CMMC Assessment Guide Level 2 (PDF).
Here’s what I aim to prove with my evidence package:
- Encryption is required for in-scope endpoints (devices that store or process CUI).
- BitLocker is configured intentionally (not “whatever Windows decided”).
- Encryption status is measurable (per-device reporting, not a policy statement).
- Recovery keys are escrowed and retrievable (with access controlled).
- Exceptions are documented (test rigs, kiosks, or legacy gear with compensating controls).
To stay grounded in Microsoft’s own wording, I also cross-check the policy side against Encrypt Windows devices with BitLocker using Intune. That helps when an assessor asks why a setting exists, or how it’s deployed.
Gotcha I see often: teams export an encryption report but forget to show how recovery keys are protected and who can read them. Evidence needs both status and control.
This isn’t legal advice, and I don’t try to “interpret” CMMC on the fly. If there’s any doubt, I confirm expectations with a C3PAO or a qualified consultant before the assessment window.
Using Intune reports as your primary evidence source (what I export and why)
Intune is my “source of truth” because it ties together policy, device state, and identity (via Microsoft Entra ID). That makes it ideal for Endpoint Security evidence, and it scales well for Managed IT for Small Business.
Where I pull the BitLocker status report
In most tenants, I start at the encryption monitoring report documented in View report details for encryption status in Intune. If Microsoft moves the menus (they do), I use the Intune admin center search and look for “encryption report,” “disk encryption,” or “recovery keys.”
As of March 2026, I still plan for UI drift. So I capture evidence in a way that survives minor navigation changes:
- CSV export for the raw list (sortable, filterable, and easy to sample).
- PDF export or screenshot for the “what I saw” view.
- Timestamps in filenames and in the exported file metadata.
Columns I highlight in the export
I don’t highlight everything. I call attention to the fields that let an assessor validate scope and status quickly. In practice, that means I bold or annotate these columns in my working copy (not in the system of record):
Device name, Serial number (if present), Entra device ID (or Azure AD device ID), Primary user, Last check-in, Encryption status, OS drive encrypted, Encryption method/strength (when available), and Recovery key escrowed/available.
If I’m using compliance policies to enforce encryption, I also export the compliance report view and keep a screenshot that shows assignments and counts. Microsoft has been evolving these screens, so I keep an eye on the updated experience for Intune device compliance reports to avoid surprises before an assessment.
A simple capture routine (repeatable every month)
- Filter Intune reports to the CUI scope (group, tag, or device filter).
- Export CSV, then export PDF (or capture a screenshot).
- Save one Entra device record screenshot for a sampled device (shows identity and last activity).
- Record who captured it, when, and from which tenant.
That’s enough to demonstrate Device Hardening intent plus ongoing monitoring, without burying the assessor in noise.
My evidence package template (folder structure, file names, and a printable checklist)
When I act as a Business Technology Partner, I don’t just hand over exports. I hand over a package that’s easy to defend in an interview.
Folder structure I use (simple and assessor-friendly)
I keep it predictable, month to month:
Evidence/CMMC_L2/03_SystemSecurityPlan_References/Evidence/CMMC_L2/09_MediaProtection/BitLocker/2026-03/Evidence/CMMC_L2/09_MediaProtection/BitLocker/2026-03/Samples/Evidence/CMMC_L2/ChangeLog/
Inside the monthly folder, I name files so they sort correctly and show capture time. Examples:
2026-03-05_Intune_EncryptionReport_CUI-Scope.csv2026-03-05_Intune_EncryptionReport_CUI-Scope.pdf2026-03-05_Intune_DiskEncryptionPolicy_Assignments.png2026-03-05_Entra_DeviceRecord_SAMPLE-LT-014.png2026-03-05_EvidenceNotes_BitLocker.md(short notes, no secrets)
What I consider an “acceptable” BitLocker evidence set
This table shows the minimum set I like to include for a clean narrative.
| Artifact | Source | What it proves | Suggested filename |
|---|---|---|---|
| Device encryption status export | Intune encryption report | Encryption state across in-scope endpoints | YYYY-MM-DD_Intune_EncryptionReport_CUI-Scope.csv |
| Human-readable snapshot | Intune export or screenshot | What the admin saw at capture time | YYYY-MM-DD_Intune_EncryptionReport_CUI-Scope.pdf |
| Disk encryption policy settings | Intune Endpoint security policy | Intended configuration for BitLocker | YYYY-MM-DD_Intune_DiskEncryptionPolicy_Settings.pdf |
| Policy assignment evidence | Intune policy assignment view | Which groups/devices are targeted | YYYY-MM-DD_Intune_DiskEncryptionPolicy_Assignments.png |
| Sample device identity proof | Microsoft Entra ID device record | Device identity, owner, last activity | YYYY-MM-DD_Entra_DeviceRecord_SAMPLE-<device>.png |
| Key access control proof | Entra role assignment screenshot | Only authorized roles can access keys | YYYY-MM-DD_Entra_Roles_RecoveryKeyAccess.png |
| Evidence notes and scope statement | Your internal doc | What “in scope” means and sampling method | YYYY-MM-DD_EvidenceNotes_BitLocker.md |
The takeaway: I try to show status + policy + scope + access controls. Any one item alone feels thin.
Printable checklist (I use this before I declare “ready”)
- Intune encryption report exported (CSV) for the CUI scope.
- Intune encryption report exported (PDF) or screenshot captured.
- Disk encryption policy settings exported or screenshotted.
- Policy assignment view captured (groups, filters, counts).
- Recovery key escrow evidence captured (keys available for sampled devices).
- Recovery key access controls captured (roles, least privilege).
- Sampling method documented (for example, 10 devices or 10% of in-scope).
- Timestamp and analyst initials included in filenames or evidence notes.
- Exceptions list updated (with ticket numbers and compensating controls).
- Retention plan confirmed (I usually keep 12 to 24 months for trend and continuity).
This is also where I tie BitLocker work into broader IT outcomes: stable Cloud Infrastructure, Secure Cloud Architecture, and Cloud Management that supports Business Continuity & Security. When I’m doing an Office 365 Migration or planning Infrastructure Optimization, I keep encryption evidence in the same discipline as identity, patching, and conditional access. Even clients with Restaurant POS Support and Kitchen Technology Solutions benefit, because endpoints move around and staff turns over.
Closing thoughts
BitLocker is the easy part. CMMC BitLocker evidence is the part that fails when it’s scattered, outdated, or missing context. When I build a tight Intune-driven package, I spend less time defending screenshots and more time proving control.
If you want a second set of eyes before a CMMC Level 2 assessment, I recommend validating your approach with a C3PAO or an experienced advisor. Then, run this evidence capture monthly so assessment week feels boring, in the best way.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.