BitLocker encryption explained

What is BitLocker encryption?

BitLocker encryption is a security feature available in Windows operating systems designed to encrypt the entire contents of a disk drive. This encryption helps protect data stored on the drive from unauthorized access, particularly if the device is lost or stolen.

How does BitLocker encryption work?

BitLocker employs robust encryption algorithms to ensure data security and typically requires authentication, such as a password, PIN, or USB key, to grant access to the encrypted drive. Utilizing either 128-bit or 256-bit keys, BitLocker employs the Advanced Encryption Standard (AES), recognized as one of the most secure encryption algorithms available. This process converts data into an unreadable format, requiring a specific key for decryption, which can be unlocked by the user's password or a smart card.

How to enable BitLocker encryption

You can use the following methods to enable BitLocker encryption in Windows 10, Windows 11, and all other Windows operating systems:

1. Through Windows Command Prompt
2. Through Windows GUI mode

1) Enable BitLocker encryption through Windows Command Prompt

To enable BitLocker encryption using command line, ensure that you are logged in with the administrator account. Follow the steps given below to enable BitLocker encryption using Command Prompt.

• Open Command Prompt in Administrator mode.
• To check the status of BitLocker encryption in the system, execute the command given below.

  manage-bde -status

• Ensure that the results for the required drives(C:, D:, etc.) are as follows.

  Conversion Status: Fully Encrypted

  Percentage Encrypted: 100.0%

  

• If the result is Percentage Encrypted: 0.0%, encrypt the BitLocker for the required drives using the command given below.

  manage-bde -on <drive letter>:

  For example: manage-bde -on D:

  

• Check the BitLocker status after disabling using the command (manage-bde -status) and ensure that it is Percentage Encrypted: 100.0%.
• Restart your computer before proceeding with the image creation process.

2) Enable BitLocker encryption through Windows GUI mode

To enable bitlocker using Windows GUI mode, ensure that you have administrator credentials to enable BitLocker encryption. Follow the steps given below to enable BitLocker encryption in GUI mode.

• Click Start > Control Panel > System and Security > BitLocker Drive Encryption.

  

• Look for the drive on which you want BitLocker Drive Encryption turned on, and click Turn on BitLocker.

  

• A message will display stating that the drive will be encrypted and that encryption may take some time. Click Turn on Bitlocker / Encrypt the drive to continue and turn on BitLocker on the drive.
• Restart your computer before proceeding with the image creation process.

How to ensure if the BitLocker encryption is enabled

You can verify whether BitLocker encryption is enabled by checking for the BitLocker lock icon on the specific drive and accessing the drive. You can follow the same steps to enable BitLocker encryption on other drives.

BitLocker encryption reports in ADManager Plus

In ADManager Plus, BitLocker encryption reports typically provide insights into the status of BitLocker encryption across devices in the AD environment. Administrators can utilize these reports to monitor and manage BitLocker encryption effectively, ensuring data security and compliance with organizational policies.

1. BitLocker Recovery Keys report

   The BitLocker Recovery Keys report fetches GUIDs and their associated recovery passwords for encrypted drives. These passwords serve to regain access to a drive that encounters decryption failures.

   

2. BitLocker Enabled Computers report

   The BitLocker Enabled Computers report offers a comprehensive list of all computers where BitLocker encryption is enabled, allowing administrators to monitor and manage encryption status effectively. Further, filter your search to specifically display BitLocker-enabled computers from a specific domain or from particular OUs within a domain.

   

   Note: These reports will be generated only for organizations that have deployed BitLocker drive encryption and chosen to back up the BitLocker recovery data to Active Directory.

3. BitLocker Disabled Computers report

   The BitLocker Disabled Computers report lists all the computers within the organization that lack BitLocker keys. Refine your search to view a list of all computers with BitLocker disabled from a specific domain or specific OUs within a domain.