Frequently Asked Questions (FAQ)

Any changes made to the encryption settings will create a difference between the new policy and the old policy. This will cause all the machines under the policy to decrypt themselves and re-encrypt with the new settings. If the changes are only to the advanced settings, like recovery key rotation or backup in the domain controller, then the settings alone are applied without decryption and re-encryption of the devices.

When TPM is not detected in a machine, the Endpoint Central agent assumes that the machine has no TPM and proceeds with the encryption setting configured for machines without TPM. When the hardware failure is resolved and TPM is detected by the Endpoint Central agent, then the machine is decrypted, and the encryption settings for machines with TPM are applied.
For non-TPM machines, encryption can happen only by providing a passphrase; we can see the password prompt that we show to the end-users. Only after the password is provided do we initiate the encryption.
Additionally, we would suggest that a single policy is sufficient to configure the encryption setting for both TPM and non-TPM machines.

The policy is removed from the machines to which it was deployed, but its encryption remains. We do not decrypt the machines on policy removal.

The last deployed policy takes effect for that endpoint. You can check what policy is currently active under the managed systems by drilling down into the system's view.

If the encryption settings in the new BitLocker policy is different from the currently existing encyrption settings of the machine, the newly deployed policy will be enforced.

BitLocker will only enforce encryption status changes to the machines to which a BitLocker policy is applied.

The policy from that machine will be revoked, but the encryption will stay. The machine won't be decrypted even if it is removed from a CG.

When the "Encrypt OS Drive Only" option is selected, any encrypted data drives will be decrypted. The encryption status of the computer will remain partially encrypted.

Modifying the "Encryption Settings" in a policy will trigger re-encryption of the drives.

Endpoint Central's BitLocker module will not encrypt drives unless the encryption policy is deployed. Drives may be fully encrypted due to:

• The Windows Device Encryption feature, which automatically encrypts drives during a fresh OS installation.
• Encryption initiated by third-party software.
• Encrypted manually.

• PIN: PIN authentication can contain only digits, and the maximum length is defined to be 6-20 characters (digits). The PIN must be provided upon boot.
• Enhanced PIN: Enhanced PIN authentication can be a combination of alphanumeric and special characters. The maximum length is defined as 6-20 characters and must be provided upon boot.
• Password: Password authentication can be a combination of alphanumeric and special characters. The minimum length is defined as 8 characters and must be provided upon boot.

The agent will initiate BitLocker processes during its refresh cycle, and its execution (time taken for the operation to complete, speed of the operation, etc) will be based on the individual machine. Drive encryption will only begin after the recovery key is successfully stored on the server.

No, BitLocker can be enabled and policies can be deployed at any time.

When a drive is in suspend protection mode, it's only encrypted, not protected. To check if a drive is in suspend protection, go to the Endpoint Central web console, navigate to BitLocker management, find the computer under Managed Computers, and verify if the Protection Status is "Disabled".

If the user manually protects data drives and a BLM policy is later deployed, the protector for the data drives will change to "Auto Unlock".

No, A system restart is not required for BitLocker encryption to take effect. Once the BitLocker encryption policy is deployed, encryption begins immediately. The process runs in the background without causing any interruptions.

Applying both Group Policy configurations and BitLocker policies simultaneously may cause conflicts. Therefore, it is not recommended to apply both together.

BitLocker supports Windows 7 and above.

The encryption of the portable drives is unsupported by Endpoint Central's BitLocker Management.

The current status of each machine will be updated during the refresh cycle. On-demand status can be obtained for a computer separately as well by navigating to Insights > Managed Systems > and clicking the 'Update Now' button.
Note: Agent-server communication is important for the data to be updated on time. If there is any interruption or temporary delay, then you might not see the updated data.

The possible reasons include:

• If the Endpoint Central agent is not available, a scan cannot be performed and the BitLocker data cannot be viewed.
• Agent-server communication is facing interruptions or blockage.
• If the Server is busy the scanned BitLocker data would be inserted in the queue. However, after a while it would be automatically updated and become visible.
• The Windows version is Windows 7 or below.
• BitLocker is disabled via GPO.

You can contact support for assistance if you are encountering these issues.

If the 'Encrypt OS Drive Only' option is selected during BitLocker policy creation, the encryption status of the devices will be indicated as 'Partially Encrypted'.

The protection status indicates whether BitLocker is currently active. If a fully encrypted drive shows "Disabled" for this status, it conveys that BitLocker is in a suspended state. The Endpoint Central BitLocker module does not suspend BitLocker encryption. Possible causes for this suspension could be:

• The Windows Device Encryption feature, which automatically encrypts the drive on a fresh OS installation and remains suspended until the recovery key is backed up.
• The encryption might have been manually suspended.
• A third-party software related to BitLocker could have caused the suspension.

Deploying the encryption policy through Endpoint Central will re-enable BitLocker protection.

If the domain controller is not reachable or if the domain admin access permissions do not allow recovery key information to be updated in the domain controller, then the recovery key cannot be stored there.

Yes, as per the current policy flow, BitLocker will encrypt the drives even if a domain controller sync does not occur.

Yes, the Central Server manages all recovery passwords.

It is advised to configure a scheduled database (DB) backup that is stored in a safe path. The steps to configure the DB backup can be found here. Once that's done, the recovery keys of the drives can be found from the backed up DB files.

If the Active Directory (AD) is unreachable, ManageEngine BitLocker will retry updating the Recovery Key. The agent will attempt to update the key up to five times per day during its refresh cycle, continuing this process until the AD becomes reachable again.

The drive might be corrupted or Windows OS is not providing accurate details, and hence, its Protection Status is shown as "Unknown". Deploying a decryption policy to the data drive can rectify this situation.