Endpoint Central's BitLocker add-on includes out-of-box features that enable the IT administrator to monitor the BitLocker encryption status as well as implement configurations that automate the process. At all times, the IT admin gains optimal visibility and management control over the network, and BitLocker's encryption status and progress.
Endpoint Central's robust BitLocker module enables numerous granular settings that are classified into the following categories:
Scan of computers - All computers are scanned to determine their current BitLocker encryption status and drive details. The first scan occurs immediately after the agent is installed. Thereafter, scans are conducted on a consistent basis to detect new computers as well as changes in the drive status and encryption progress.
Within the status report, these BitLocker details are included:
Volume details - Provides details about the computer volumes including name and identification number.
Protection Status - Indicates whether the drive is protected through BitLocker encryption.
Lock Status - Displays whether the drive is locked or unlocked.
Encryption method - Out of the various encryption methods, such as AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128, one will be selected and utilized by Microsoft's native BitLocker feature by default.
Drive Type - Indicates whether the drive(s) selected for encryption are OS drives, data drives, or both.
Protector - Displays the current protection method: solely TPM, TPM and Passphrase, or just a Passphrase, or a Numerical password.
Auto lock - Indicates whether the drive is auto-locked or not. For additional safety, the drive can be auto-locked only if the OS volume is encrypted.
Auto Unlock - Displays whether Auto Unlock is disabled or enabled.
Percentage Converted - Displays the encryption progress status.
Volume Status - Displays the encryption status of the volumes as Fully Encrypted Computers, Fully Decrypted Computers and Partially encrypted Computers.
Drive Size - Displays the size of the selected drive.
BitLocker Version - Indicates the specific version of the BitLocker feature.
The Trusted Platform Module (TPM) is a chip inserted in the motherboard during the manufacturing process of a computer to provide hardware-level drive security. A TPM chip essentially generates a set of cryptographic keys that are specific to its host system. Part of the keys are then stored in the TPM, while the remaining keys are stored in the hard disk of the corresponding system. In the authentication phase, the contents of the drive can be accessed only when the key pairs match. If a user attempts to access the hard drive from another computer, the contents will remain encrypted.
During the scan, pertinent TPM details for each computer are collected. The resulting TPM report includes the following:
TPM Availability of computers - Details the specific system requirements necessary for each computer to support a TPM chip. After the scan, the numbers of computers with and without the TPM chip installed will be displayed.
Enabling TPM - To leverage the benefits of TPM, the chip must be enabled at the hardware/BIOS level. Whether it is enabled or disabled in each endpoint is shown in this TPM report.
Activating TPM - The TPM, in addition to being enabled, needs to be activated, i.e. made functional at the OS level. Whether the TPM is activated or deactivated is provided in the TPM report.
Owned - The IT admin must have ownership privileges to govern the various operations of the TPM. This report displays whether it is owned.
Manufacturer details - This displays the name of the TPM chip manufacturer
Scans of your managed systems should be conducted periodically. Scan results can be analyzed to gain insights about the type of policies to enact to encrypt and secure your drives. Various setting options within BitLocker policies can be configured to address your organization's encryption needs.
Enable or disable BitLocker - BitLocker can be enabled or disabled at point in time.
Encryption policy - To create an encryption policy, the IT admin has to select the Drive encryption setting. There are three encryption settings: Drive encryption, Encrypt OS drives only, and Encrypt used space only. If only the Enable drive encryption option is enabled, then by default all drives of the managed systems associated with this policy will be fully encrypted.
Decryption policy - To create a decryption policy, the setting Drive Encryption has to be disabled. This will ensure that all drives associated with this policy will be decrypted.
Encrypting specific drives - If the enable option is chosen, then the IT admin can select specific drives (an OS drive, or a data drive) to be encrypted, based on where critical information is stored.
Encryption of only OS drive - For efficiency or specific network requirements, if critical data is only stored in the OS drive, then only that drive can be encrypted.
Full volume or used volume encryption - The IT admin can choose to have the full volume encrypted for added safety, or just the used volume, because it conserves time and space. For the used volume option, encryption will be continuously carried out as data is added.
TPM works well in conjunction with additional protectors for authentication. Accessing a TPM and password protected system also requires the physical presence of the user. This prevents remote unauthorized breaches. If a computer does not have TPM available, these protectors can be used to safeguard the drives instead.
PIN or passphrase - A PIN or passphrase can be used in conjunction with TPM. If TPM is unavailable for a particular endpoint, a passphrase authentication measure can be implemented as an alternative protector.
Recovery key update - While configuring the BitLocker drive encryption settings, a recovery key will be generated in case the drive is not accessible. With this option, the IT admin can ensure that the recovery key is not made visible to the user, but is updated directly to the Active Directory (AD).
Rotation interval for new recovery key update - The IT admin can specify that after a designated time interval, a new recovery key will automatically and silently replace the existing recovery key.
The recovery key will be automatically generated during the BitLocker configuration process, and for domain users, it can be backed up in the AD. The recovery key is used when, for example, a user forgets their password, or a hardware failure renders a drive inaccessible. The 48-digit recovery key can be obtained, and used to access the contents of the drive again.
Finding recovery key identifier - The recovery key identifier can be utilized to find the recovery key for a particular computer. The recovery key identifier can be found by the admin within the console in the Managed systems section under the summary for the particular computer.
Retrieving recovery key - The recovery key can be obtained from the domain controller/active directory by entering the recovery key identifier in the console within the Retrieve recovery key section. Once that recovery key is used, it should be replaced with a new recovery key. For details on how to use the identifier to find the recovery key, visit here.
Association and deployment - BitLocker encryption policies can be associated with an individual computer, or a group of specific target computers based on operating systems, departments, roles, the type of information that is stored, etc. For more information on how to create a custom group, refer to this page.
BitLocker encryption status count - To easily track the encryption status of the computers within the network, the number of managed systems is divided into these categories: Fully encrypted, Fully decrypted, or Partially encrypted computers.
Graphics for easy analysis of computer status - Infographics depict which computers have policies, and what types of settings are applied. Graphs display the following: TPM Availability of computers, Drives by Encryption method, and Drives by Authentication method.
Numerous settings for BitLocker encryption can be configured for all computers in the network from a centralized console. Easily and effectively safeguard your network data through drive encryption by leveraging the BitLocker add-on for Endpoint Central.
Download a 30-day free trial and try it out for yourself!
For more information on the new Endpoint Security suite products including BitLocker Management, refer here.