Any changes to encryption settings create a difference between the new policy and the old policy. This causes all machines under the policy to decrypt and re-encrypt with the new settings. Changes only to advanced settings, such as recovery key rotation or backup in the domain controller, are applied without decryption and re-encryption.
When TPM is not detected, the Endpoint Central agent assumes no TPM and applies encryption settings for machines without TPM. When the failure is resolved and TPM is detected, the machine is decrypted and encryption settings for TPM machines are applied.
For non-TPM machines, encryption requires a passphrase. Only after the password is provided will encryption begin.
A single policy is sufficient for both TPM and non-TPM machines.
The policy is removed from the machines but encryption remains. Machines are not decrypted on policy removal.
The last deployed policy takes effect. The active policy can be checked in the managed systems view.
If the new policy’s encryption settings differ from the current settings, the new policy is enforced.
BitLocker enforces encryption status changes only on machines where a BitLocker policy is applied.
The policy is revoked but encryption stays. The machine is not decrypted.
To remove a fully decrypted computer and prevent encryption prompts:
Encrypted data drives are decrypted. The computer remains partially encrypted.
Modifying encryption settings triggers re-encryption of the drives.
Endpoint Central will not encrypt drives without a deployed policy. Full encryption can occur due to:
Yes. Log in with the recovery key. After login, the user is prompted to reconfigure or modify the password or PIN.
The agent initiates BitLocker processes during its refresh cycle. Execution time depends on the machine. Encryption begins only after the recovery key is successfully stored on the server.
No. BitLocker can be enabled and policies deployed at any time.
When a drive is in suspend protection mode it is encrypted but not protected. To check, go to the Endpoint Central web console, navigate to BitLocker management, find the computer under Managed Computers, and verify if Protection Status is "Disabled".
If the user manually protects data drives and a BitLocker policy is later deployed, the protector changes to "Auto Unlock".
No. A restart is not required. Once the policy is deployed, encryption begins immediately in the background.
Applying both simultaneously may cause conflicts. It is not recommended.
BitLocker supports Windows 7 and above.
Encryption of portable drives is not supported by Endpoint Central's BitLocker Management.
The current status updates during the refresh cycle. On-demand status can be obtained by navigating to Insights → Managed Systems and clicking "Update Now".
Note: Agent-server communication is required for timely data updates. Interruptions can delay updates.
Possible reasons:
Contact support for assistance if these issues occur.
If the "Encrypt OS Drive Only" option is selected during policy creation, the encryption status is shown as "Partially Encrypted".
Protection status indicates whether BitLocker is active. If it shows "Disabled" while fully encrypted, BitLocker is suspended. Endpoint Central does not suspend BitLocker. Possible causes include:
Deploying the encryption policy through Endpoint Central re-enables BitLocker protection.
If the domain controller is unreachable or permissions prevent updates, the recovery key cannot be stored there.
Yes. BitLocker encrypts drives even if domain controller sync does not occur.
Yes. The Central Server manages all recovery passwords.
Configure a scheduled database backup stored in a safe path. Instructions are here. Recovery keys can be retrieved from the backup files.
If AD is unreachable, ManageEngine BitLocker retries updating the Recovery Key up to five times per day during its refresh cycle until AD becomes reachable.
