-
Why is the recovery key not synced in domain controller even though the option to update in domain controller is enabled?
If the domain controller is not reachable or if the domain admin access permissions do not allow recovery key information to be updated in the domain controller, then the recovery key cannot be stored there.
-
Will BitLocker encrypt the managed machines in my domain even if the recovery key information is not synced in the domain controller?
Yes, as per the current policy flow, BitLocker will encrypt the drives even if a domain controller sync does not occur.
-
Does the Central Server manage the recovery passwords of computers that are encrypted by software other than BitLocker management?
Yes, the Central Server manages all recovery passwords.
-
What will happen if I apply a new BitLocker encryption policy to machines which are already encrypted?
If the encryption settings in the new BitLocker policy is different from the currently existing encyrption settings of the machine, the newly deployed policy will be enforced.
-
I have encrypted my machines using startup keys or network unlock (separate from BitLocker). What will happen once I install the BitLocker management agent?
BitLocker will only enforce encryption status changes to the machines to which a BitLocker policy is applied.
-
What happens if multiple policies are applied to a single machine?
The configurations in the most recently associated policy will be applied to the machine.
-
When will the BitLocker encryption/decryption process begin?
The agent will initiate BitLocker processes during its refresh cycle and its execution (time taken for operation to complete, speed of the operation, etc) will be based on the individual machine.
-
Do all computers need to be restarted for encryption to begin?
No, only the OS versions below Windows 10 would require a restart.
-
Is there any active period for deployment/starting BitLocker?
No, BitLocker can be enabled and policies can be deployed at any time.
-
How do I retrieve the Recovery Key in the event of any hardware malfunctions within the server?
It is advised to configure a scheduled database (DB) backup that is stored in a safe path. The steps to configure the DB backup can be found here. Once that's done, the recovery keys of the drives can be found from the backed up DB files.
-
How can I find the current BitLocker status for each machine?
The current status of each machine will be updated during the refresh cycle. On-demand status can be obtained for a computer separately as well by navigating to Insights > Managed Systems > and clicking the 'Update Now' button.
Note: Agent-server communication is important for the data to be updated on time. If there is any interruption or temporary delay, then you might not see the updated data.
-
Why is my machine not listed under managed systems or included in the BitLocker report?
Possible reasons include:
- If the Endpoint Central agent is not available, a scan cannot be performed and the BitLocker data cannot be viewed.
- Agent-server communication is facing interruptions or blockage.
- If the Server is busy the scanned BitLocker data would be inserted in the queue. However, after a while it would be automatically updated and become visible.
- The Windows version is Windows 7 or below.
- BitLocker is disabled via GPO.
You can contact support for assistance if you are encountering these issues.
-
What versions of Windows does BitLocker support?
BitLocker supports Windows 7 and above.
-
Why is Endpoint Central unable to retrieve the recovery key?
- If the endpoint has been encrypted manually and the drive is locked, or if the endpoint is encrypted using a third-party software and the drive is locked, the recovery key cannot be retrieved by Endpoint Central.
- To check if the drive is locked, select the computer in 'Managed computers' and check the 'Lock status' of the drive.
- If the drives are not encrypted using Endpoint Central, unlocking the drive once with the password will enable Endpoint Central to store and retrieve the recovery key.
