BitLocker Drive Encryption Management

To effectively secure digital data, it should be encrypted so that it is accessible only by authorized users. BitLocker is a native encryption tool available on certain Windows operating systems. Encrypting Windows machines can be easily done for individual users. On the contrary, encrypting a vast of machines in accordance to the organization's policies becomes exacting. Endpoint Central enables IT admins to manage BitLocker encryption in Windows machines, and effectively monitor the drive encryption statuses of all managed Windows systems across the network. Bitlocker enterprise is an effective manner to manage the encryption of Windows devices seamlessly.

By utilizing Endpoint Central's BitLocker management, IT admins can achieve the following:

  1. Centralized management - BitLocker drive encryption, Trusted Platform Module (TPM), and additional protector settings are managed from a single console for all computers within the network. Activities such as recovery key generation and maintenance can be automated for smooth operations.

  2. Deployment of granular policies - Numerous configurations enable the IT admin to create flexible policies to match their organization's encryption requirements. These policies are mapped to custom groups of targeted computers. These policies are lightweight, so they can be deployed quickly via secure agent-server communications.

  3. Extensive monitoring - Audit data is consistently collected and consolidated into detailed reports. Dashboard infographics also provide a quick summary of encryption policies as they are applied to computers in the network. These provisions offer enhanced visibility over the network, and enable the IT admin to easily analyze the BitLocker encryption statuses of all systems so that the data remains safeguarded.

This document will explain you about the key features and pre-requisites of BitLocker:

Key features of bitlocker management tool

Automated scanning and BitLocker encryption assessment

Periodic scans are automatically initiated by Endpoint Central. Once a scan is completed, a comprehensive report of the BitLocker drives encryption settings are applied on each computer. The main details of the BitLocker reports are reflected in the dashboard through various illustrations that provide for easy analysis. With this advanced reports and data, IT admins can strategize how to manage bitlocker encryption in their network.

TPM analysis

Endpoint Central also scans each endpoint to check for the availability and subsequent status of the TPM. A TPM is a chip inserted on the motherboard of some computer by its manufacturer. While BitLocker encryption provides software level protection, TPM provides hardware-level protection. After a scan, a detailed report on the TPM status for each computer is made available to the IT admin.

Flexible drive encryption options

On managed computers with BitLocker components enabled, both encryption and decryption policies can be easily constructed, deployed and modified. Endpoint Central's BitLocker is equipped with granular settings so the IT admin can implement policies that satisfy both user requirements, and the cybersecurity standards of the organization. IT admins can choose to enable full space encryption, the recommended option for optimal security. Alternatively, to save time, they can choose to encrypt only the OS drive, and/or only the used disk space.

Multi-factor authentication

This bitlocker management software conjoints the drive encryption and TPM to work with other protection and authentication methods, such as passphrase for better integrity. While creating a policy using Endpoint Central, the IT admin can also choose to incorporate password protection along with TPM as an added layer of security. If the computer does not have TPM, BitLocker encryption can still be implemented, but instead of TPM, a passphrase protection scheme can be enforced.

Recovery key settings

Bitlocker management recovery key is used to authenticate the encryption. Once the encryption is completed, a recovery key will be generated by BitLocker which can be utilized in the instances when a user forgets their password. It can also come in handy when a malfunction causes the hardware on a computer to become corrupted. If the hard disk of that computer can be salvaged, the IT admin can insert the disk into another computer, and enter the recovery key to access its contents. In Endpoint Central, IT admins can configure settings during policy creation so that recovery keys can be automatically renewed after a specified number of days. The existing recovery keys will be silently replaced by new recovery keys, and the IT admin can also choose to automatically have these recovery keys updated in the domain controller.

BitLocker Prerequisites

BitLocker is supported in the following OS versions

  • Ultimate and Enterprise editions of Windows Vista and Windows 7
  • Pro and Enterprise editions of Windows 8 and 8.1
  • Pro, Enterprise, and Education editions of Windows 10
  • Pro, Enterprise, and Education editions of Windows 11
  • Windows Server 2008 and later

How to enable BitLocker in Server OS?

BitLocker needs to be enabled in Server OS to encrypt the machine and to use BitLocker Recovery key storing. Follow the steps below to enable BitLocker in Server OS

  • Open Server Manager and select the Add Roles and Features Wizard.
  • Follow the wizard installations steps. In Features, enable BitLocker Drive Encryption Administration Utilities and enable the two options present in its drop-down
  • Windows Server OS BitLocker Encryption
  • Proceed with the installation and reboot the server. After successful installation, a new tab labelled BitLocker Recovery will appear in Active Directory Users and Computers when you open a computer object.
  • Remove all GPO configurations related to BitLocker or Encryption. Sample GPOs.
Ensure all the configurations are removed from the agent properly. (Eg. Registry values made by GPO are removed)
  • For TPM based encryption, BitLocker requires UEFI BIOS configuration to encrypt the drives.Refer here
For TPM based encryption, TPM must be enabled, owned and activated. If not clear all the keys from TPM to achieve the same. To know more about this bitlocker encryption tool click here!

Download a 30-day free trial and try it out for yourself!

Related documents

  1. How to find BitLocker recovery keys
  2. How to create a BitLocker management policy
  3. BitLocker overview
  4. Frequently asked questions
  5. Complete feature list

For more information on the new Endpoint Security suite products including BitLocker Management, refer here.