How to manage Microsoft's BitLocker encryption feature

Enterprises with many Windows devices might struggle to know which have BitLocker enabled or where to find BitLocker recovery keys. These techniques can help.

A recent Microsoft Support knowledgebase article and servicing stack update for Windows operating systems offers a fix for a race condition issue introduced by a secure boot feature update, which caused patching to trigger a BitLocker recovery password.  It reminded me that we often forget which devices have BitLocker. When you patch, BitLocker is normally silent and doesn’t interfere in the patching process. BitLocker is designed to be silent, so much so that you might forget which machines have it enabled and which ones do not.

Microsoft recently announced that it will add advanced management tools to track and manage BitLocker in the coming months to SCCM and Intune. In the meantime, what can you do to inventory your network to determine which devices have BitLocker? Plenty.

Using PowerShell to find BitLocker-enabled devices

Let’s start off with PowerShell. The manage-bde -status c: command indicates whether BitLocker is enabled on the device.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!