Are You Sure Your Devices Are Fully Encrypted with BitLocker?
By Paul Kelly
BitLocker has long been the standard when it comes to disk encryption for your devices running Microsoft Windows operating systems—particularly on workstations and laptops. It’s designed to protect data by encrypting the entire disk drive on which the OS and user data are stored. This encryption ensures that even if someone physically steals or accesses your computer, they won’t be able to get to the data on the encrypted drive without the appropriate decryption key.
It is commonplace these days for MSPs and IT Admins to monitor BitLocker status on devices. While you may be sitting there confident your devices are fully encrypted, did you know most BitLocker status monitoring is done by using the Get-BitLockerVolume PowerShell command?
What’s wrong with the Get-BitLockerVolume PowerShell command?
The issue here is that this command can sometimes return a false positive when a drive is not fully encrypted. With newer devices, Microsoft starts the encryption process as part of the system setup on first boot. If you sign in with a Microsoft account, it will kick off a wizard to guide you through the process, and of course it will want you to store the keys in that account. If you don’t do this, BitLocker pauses and waits for the Microsoft account to move forward. Because of this, the Get-BitLockerVolume PowerShell cmd is going to show the device as encrypted, even though the process was not fully completed.
How can you be sure the BitLocker disk encryption process has completed successfully?
One way to verify that the device has been encrypted is if there is a recovery key present.
To ensure you can confidently answer yes to the question “Are Your Devices Fully Encrypted with BitLocker?”, I’ve taken the Bitlocker Status AMP—widely used by our N‑able partners—and updated it. Now, not only does it tell you if BitLocker is turned on, but it also automatically checks what the system drive is. On top of this, it will retrieve the system drive recovery key so that you can confidently say the device is fully encrypted.
With the new BitLocker Status v2 monitoring, it will show as failed if any of the following scenarios are true:
- BitLocker is not enabled on the device
- BitLocker is available but is “off” on at least one drive
- If the drive is partially encrypted but no recovery key is present.
Where can I find BitLocker Status v2?
For many of you, it will come as no surprise to hear that BitLocker Status v2 is available in the Automation Cookbook.
- Download BitLocker Status v2 monitoring for N‑central
You will be able to use the Zip file to directly import service templates for both workstations and laptops. - Download Bitlocker Status v2 AMP For N‑sight
This can be used as a script check and will fail if any of the scenarios I outlined above are true.
For those of you who are unfamiliar with the Automation Cookbook, boy are you in for a treat: with over 800 scripts (and growing), the Automation Cookbook contains automation policies, custom monitoring, and pre-built scripts to help you boost your efficiency. These scripts are written in-house or by other MSPs who are using automation capabilities, so you know you are getting scripts that work, and work well.
Make sure you check out the Automation Cookbook here: https://me.n-able.com/s/global-search/%40uri#t=AutomationCookbook&sort=relevancy
In most cases I’m sure you’ll find that BitLocker has actually fully encrypted your devices, but as Murphy’s Law would dictate, if something can go wrong it will. So why run the risk of not taking any action? Roll out Bitlocker Status v2 across your devices and if you have questions join me on my N‑central office hours, alternatively you can contact me directly by the methods below.
Paul Kelly is the Head Nerd at N‑able. You can follow him on Twitter at @HeadNerdPaul, LinkedIn and Reddit at u/Paul _Kelly. Alternatively you can email me direct.
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.