A recent Microsoft Support knowledgebase article and servicing stack update for Windows operating systems offers a fix for a race condition issue introduced by a secure boot feature update, which caused patching to trigger a BitLocker recovery password. It reminded me that we often forget which devices have BitLocker. When you patch, BitLocker is normally silent and doesn’t interfere in the patching process. BitLocker is designed to be silent, so much so that you might forget which machines have it enabled and which ones do not.
Microsoft recently announced that it will add advanced management tools to track and manage BitLocker in the coming months to SCCM and Intune. In the meantime, what can you do to inventory your network to determine which devices have BitLocker? Plenty.
Using PowerShell to find BitLocker-enabled devices
Let’s start off with PowerShell. The manage-bde -status c: command indicates whether BitLocker is enabled on the device.
Susan Bradley
BitLocker enabled
If the device does not have BitLocker, it will indicate the drive is fully decrypted.
Susan Bradley
BitLocker not enabled
If you need to determine if BitLocker is enabled remotely, add the name of the computer to the command: manage-bde -status -computername **computername**
Finding multiple BitLocker-enabled devices
What if you want to review more than one computer at a time? Use Azure AD or Intune to review the status. For devices registered with Intune, use the Intune Encryption report to determine the status. Sign in to the Intune portal and go to “Device Configuration”, and then under “Monitor” select “Encryption report”.
Susan Bradley
Intune drive encryption
The report gives you an overview of the computers that have encryption enabled, the operating system, the operating system version, the TPM version, encryption readiness, the status of the encryption and the user principal name assigned to the system.
Managing BitLocker recovery keys
Management of BitLocker recovery keys often concerns large organizations, especially the ability to store them safely. When a system has been joined with Azure AD, even if the BitLocker encryption process is self-managed, the user will be prompted to save the BitLocker credentials at the beginning of the encryption process. You can save the recovery key to a file, by printing it out and, best of all, automatically saving the recovery key to a cloud domain account. Once the recovery key is backed up, you can recover the BitLockered device should something occur to the drive.
Susan Bradley
Recovery key options
If you’ve ever added a Microsoft account to a Surface device and then run into a recovery problem, you know that a Surface device automatically backs up the BitLocker recovery key to the Microsoft account. BitLocker recovery keys can be found and accessed several ways. If the system logs in with a Microsoft account, look for the BitLocker recovery keys under the device information. Log into your Microsoft support account using another device. You will see the BitLocker recovery key listed:
Susan Bradley
Microsoft account recovery keys
If you needed to provide the recovery key for the drive during the boot process, log in using a different device, log into the devices recovery key website listed with your Microsoft account credentials, copy the recovery key, and enter the key into the BitLocker recovery window process.
If the device is hooked to Azure AD, find the BitLocker recovery key in the device information linked in your Azure AD section,
Susan Bradley
Azure AD BitLocker keys
If you don’t have access to Azure AD, you can use on-premises Active Directory to manage your BitLocker recovery keys. As long as you have Server 2012 or higher, the ability to manage BitLocker recovery keys is enabled by default. To view the recovery keys, enable the BitLocker Drive Encryption Administration utility. Earlier versions of active directory schema need additional configuration.
It’s key in this era of mobile data to ensure devices are encrypted. Should the laptop be stolen, if an attacker attempts to reset the password or remove the hard drive to read the information on the drive, BitLocker ensures that an attacker cannot read the information on the encrypted disk.
BitLocker is just one tool of many to keep data safe. Managing BitLocker recovery keys has become much easier and more end user friendly if one uses either Microsoft accounts or Azure AD accounts to manage them. Review your current BitLocker management processes and to see if you can streamline them to be more efficient and easier to manage.