Understanding BitLocker Management

Initial BitLocker Status and Device Details Data Collection

Following agent installation, the BitLocker component will be installed immediately. This contains the binaries to perform the functions of the BitLocker module in the agent. The Endpoint Central agent will then scan and display the encryption status of all internal drives within Managed Computers under the Insights section of the BitLocker Management module.

Below are certain limitation scenarios regarding external drive encryption and drives locked using third-party tools:

• Encryption of external drives is not currently supported by Endpoint Central.
• Drives locked by Windows Native BitLocker or other third-party encryption tools will be reported as decrypted and cannot be managed by Endpoint Central until unlocked with the recovery key. To manage device encryption through Endpoint Central, you must create and deploy the Endpoint Central BitLocker policy.

BitLocker Policy Deployment

After a BitLocker policy has been created, it can be deployed in the following two options:

• Deploy Immediately option: The policy is immediately pushed to and applied on agent machines that are currently online. For large CGs (over 200 machines), the policy is applied to 200 machines initially, with the rest following in the next refresh cycle.
• Deploy option: The policy is scheduled for the next 90-minute refresh cycle.

According to the encryption or decryption policy implemented, the devices will undergo encryption or decryption. The policy deployment status can be viewed by delving into the applied policy.

Policy Enforcement in Agent

The agent will initiate BitLocker processes during its refresh cycle, and its execution (time taken for the operation to complete, speed of the operation, etc) will be based on the performance of the individual machine. Drive encryption will only begin after the recovery key is successfully stored in the server. In case of encryption failure, refer to the Encryption Pre-Requisites section to see if all the pre-requisites for encryption are met.

The following outlines the consequences on non-TPM machines, policy modifications, policy deletions, and policy conflict precedence:

• Effect on non-TPM Machines

  For non-TPM machines, encryption can happen only by providing a passphrase; we can see the password prompt that we show to the end-users. Only after the password is provided do we initiate the encryption. To list the devices without TPM, navigate to Bitlocker Management -> Insights -> Managed Computers and filter by setting 'Unavailable' for TPM Availability. Additionally, a single policy is sufficient to configure the encryption setting for both TPM and non-TPM machines.

• Effect of Modifications to BitLocker Policy

  Any changes made to the encryption settings will create a difference between the edited policy and the old policy. This will cause all the machines under the policy to decrypt themselves and re-encrypt with the new settings. If the changes are only to the advanced settings, like recovery key rotation or backup in the domain controller, then the settings alone are applied without decryption and re-encryption of the devices.

• Effect of Deletion of BitLocker Policy

  In the case of a policy being deleted, dissociated or the machine being removed from the Scope of Management (SoM), the encryption of the drives will still be intact. To decrypt the drives, a decryption policy has to be deployed.

• BitLocker Policy Conflict Precedence

  When multiple BitLocker policies are deployed to the same endpoint, the latest deployed policy will take effect. You can check the policy which is currently active under the Managed Systems section by drilling down into the system's view.

Recovery Key Storage

The recovery key will be created and updated on the server before encryption. The encryption will begin only after the server acknowledges that the recovery key is updated safely in the server. Endpoint Central also supports updating the recovery key to Active Directory and Azure AD as well.

Even after the computer is removed from the SoM or an unmanaged computer in a limited license, the recovery key will be retained in the server for up to one year, if the Recovery Key Retention option is enabled under the Retrieve Recovery Key section. On disabling, the recovery key(s) of the removed computers will be discarded after 30 days. Any technician accessing the recovery key will have their actions captured in the Action Log Viewer due to the sensitive nature of the key.

If the Periodic Rotation of the Recovery Keys option is enabled in a policy, the recovery keys for those machines will be updated with new ones after the set period in the agent and will be uploaded to the server during the next refresh cycle. This will be done at the specified regular intervals for enhanced security. Also, if a recovery key has been accessed, it will be changed in the agent in the next reboot of the machine.

Resetting BitLocker Password

The encryption key, such as the PIN, password, or passphrase, can be reset by logging in using the recovery key. In the cases where the end user forgets the encryption key, it is best to provide them with the recovery key. Upon login using the recovery key, the user will be presented with a prompt to reconfigure or modify their password or PIN.

Keywords in BitLocker Reports

• Drive Type: Indicates whether the drive is an "OS drive" or "Data drive".
• Encryption Status: Shows the encryption status of the drives and their percentage.
• Protection Status: The protection status indicates whether BitLocker is currently active. When the status is shown as Enabled, it conveys that BitLocker is active. If it is shown as Disabled, then BitLocker is not active, and the protection can be decrypted, suspended, or paused. If a fully encrypted drive shows "Disabled", it conveys that BitLocker is in a suspended state. The Endpoint Central BitLocker module does not suspend BitLocker encryption. Possible causes for this suspension could be:
  • The Windows Device Encryption feature, which automatically encrypts the drive on a fresh OS installation and remains suspended until the recovery key is backed up.
  • The encryption might have been manually suspended.
  • A third-party software related to BitLocker could have caused the suspension.

  Deploying the encryption policy through Endpoint Central will re-enable BitLocker protection.

• Auto Unlock: This feature automatically unlocks the data drives once the OS drive is unlocked during login. As a result, those drives appear as if they are unlocked. This is the default behavior of Bitlocker. Only data drives will have this option enabled.
• Encryption Method: The algorithm used for encryption.
• Encryption Level: If the encryption level is shown as Full Space Encrypted, it conveys that all portions of the drive are encrypted. If it is shown as Used Space Encrypted, only used portions of the drives are encrypted. New contents will be automatically encrypted when added.
• Lock Status: Indicates whether the drive is locked or unlocked. Typically, it remains unlocked unless manually locked or due to manual interruptions. For example, when a BitLocker encrypted system is powered off, the drives are locked. Upon powering on, the drives become unlocked. During this scenario, the status cannot be updated in the server console as the machine is powered off. Therefore, the status mostly remains unlocked in the server console. If the drive is locked before Endpoint Central's BitLocker policy, then encryption of the drive would not be possible.
• Drive Size: The size of the drive.
• Protector: A protector is a key that allows access to encrypted data on a Windows device. Each drive also has a numerical password protector, which serves as the Recovery Key. Additionally, the data drives have an 'external key' for auto unlock purposes. Below are the various protectors applied to the drive for the policy:
  1. TPM Only: Trusted Platform Module
  2. TPM and PIN: TPM+PIN
  3. TPM and Enhanced PIN: TPM+PIN

     Note: Both TPM+Enhanced PIN and TPM+PIN will display the protector as TPM+PIN only. This is because the BitLocker feature only includes the TPM+PIN protector, and TPM+Enhanced PIN is an extension of the TPM+PIN protector.

  4. Passphrase: Passphrase
• Recovery Key Identifier: The identifier for the recovery key associated with a drive.