Following agent installation, the BitLocker component will be installed immediately. This contains the binaries to perform the functions of the BitLocker module in the agent. The Endpoint Central agent will then scan and display the encryption status of all internal drives within Managed Computers under the Insights section of the BitLocker Management module.
Below are certain limitation scenarios regarding external drive encryption and drives locked using third-party tools:
After a BitLocker policy has been created, it can be deployed in the following two options:
According to the encryption or decryption policy implemented, the devices will undergo encryption or decryption. The policy deployment status can be viewed by delving into the applied policy.
The agent will initiate BitLocker processes during its refresh cycle, and its execution (time taken for the operation to complete, speed of the operation, etc) will be based on the performance of the individual machine. Drive encryption will only begin after the recovery key is successfully stored in the server. In case of encryption failure, refer to the Encryption Pre-Requisites section to see if all the pre-requisites for encryption are met.
The following outlines the consequences on non-TPM machines, policy modifications, policy deletions, and policy conflict precedence:
For non-TPM machines, encryption can happen only by providing a passphrase; we can see the password prompt that we show to the end-users. Only after the password is provided do we initiate the encryption. To list the devices without TPM, navigate to Bitlocker Management -> Insights -> Managed Computers and filter by setting 'Unavailable' for TPM Availability. Additionally, a single policy is sufficient to configure the encryption setting for both TPM and non-TPM machines.
Any changes made to the encryption settings will create a difference between the edited policy and the old policy. This will cause all the machines under the policy to decrypt themselves and re-encrypt with the new settings. If the changes are only to the advanced settings, like recovery key rotation or backup in the domain controller, then the settings alone are applied without decryption and re-encryption of the devices.
In the case of a policy being deleted, dissociated or the machine being removed from the Scope of Management (SoM), the encryption of the drives will still be intact. To decrypt the drives, a decryption policy has to be deployed.
When multiple BitLocker policies are deployed to the same endpoint, the latest deployed policy will take effect. You can check the policy which is currently active under the Managed Systems section by drilling down into the system's view.
The recovery key will be created and updated on the server before encryption. The encryption will begin only after the server acknowledges that the recovery key is updated safely in the server. Endpoint Central also supports updating the recovery key to Active Directory and Azure AD as well.
Even after the computer is removed from the SoM or an unmanaged computer in a limited license, the recovery key will be retained in the server for up to one year, if the Recovery Key Retention option is enabled under the Retrieve Recovery Key section. On disabling, the recovery key(s) of the removed computers will be discarded after 30 days. Any technician accessing the recovery key will have their actions captured in the Action Log Viewer due to the sensitive nature of the key.
If the Periodic Rotation of the Recovery Keys option is enabled in a policy, the recovery keys for those machines will be updated with new ones after the set period in the agent and will be uploaded to the server during the next refresh cycle. This will be done at the specified regular intervals for enhanced security. Also, if a recovery key has been accessed, it will be changed in the agent in the next reboot of the machine.
The encryption key, such as the PIN, password, or passphrase, can be reset by logging in using the recovery key. In the cases where the end user forgets the encryption key, it is best to provide them with the recovery key. Upon login using the recovery key, the user will be presented with a prompt to reconfigure or modify their password or PIN.
Deploying the encryption policy through Endpoint Central will re-enable BitLocker protection.
Note: Both TPM+Enhanced PIN and TPM+PIN will display the protector as TPM+PIN only. This is because the BitLocker feature only includes the TPM+PIN protector, and TPM+Enhanced PIN is an extension of the TPM+PIN protector.
Thank you for your feedback!
Sorry about that!