Usage guide: BitLocker compliance

The BitLocker compliance live dashboard acts as the starting point of this library pack. This dashboard provides a single environment for managing the BitLocker encryption status of Windows operating system devices by:

• Identifying devices encrypted and unencrypted

• Identifying Devices ready for encryption

Some recommendations for BitLocker encryption are:

• Ensure TPM availability

• Verify TPM status

• Initialize the TPM

• Apply group policies

• Detect security gaps

Library pack uses

Ensuring TPM availability

You can encrypt devices without a TPM (Trusted Platform Module) with reduced security protection. Over time, consider replacing these devices with a TPM to provide additional endpoint security. The table also shows the number of devices without a TPM at risk of not being encrypted.

Initializing the TPM

Take ownership of the TPM if it has not been initialized. Configure security settings through Windows management tools. When a device is "not owned," it refers to the status of the Trusted Platform Module (TPM) on that device. This means the operating system or a management policy has not initiated or taken ownership of the TPM.

To resolve this, initialize the TPM by taking ownership through Windows' security management tools and configuring it to store BitLocker encryption keys properly. This can occur if the TPM has never been configured or has been reset.

Applying group policies

Ensure that group policies allow the use of BitLocker with TPM. The "Devices protected but the GPO not applied" metric indicates that the devices are correctly encrypted and protected, but the GPO to upload key protectors to AD is not present. In these cases, two steps must be executed for the listed devices:

1. The AD must be applied to these devices.

2. The Key Protectors must be manually uploaded to AD, as the GPO will not back up any key created before it is applied.

The "Devices not protected and GPO not applied" metric indicates the devices are not yet encrypted and protected, and the required GPO to upload key protectors to AD is absent. In these cases, the AD GPO must be applied to these devices before encryption. The system drive can then be encrypted and BitLocker enabled as usual. With the GPO in place, the key protectors will be uploaded automatically.

Detect security gaps

Key Protectors are essential for securing and managing encryption keys. They define how encryption keys are protected and accessed and aim to maintain the security of the encryption keys required to encrypt and decrypt data on a drive.

Use cases

In addition to the relevant use cases covered below, you may uncover other troubleshooting scenarios specific to your environment.

• Identification of non-compliant devices: Detect devices that are not encrypted or do not meet the organization’s encryption requirements.

• Tracking encryption progress: Monitor the number of devices that have been successfully encrypted versus those pending encryption.

• Highlighting devices missing security applications or components: Identify endpoints lacking necessary security tools, such as BitLocker or TPM element, required for encryption.

• Detecting unsupported operating systems: Pinpoint devices running outdated or unsupported OS versions that cannot support the TPM encryption feature.

• Prioritization of High-Risk Devices: Focus on devices with sensitive data or critical departments lacking encryption compliance.

• Segmentation by Location or Department: Filter non-compliant devices based on their location, department, or assigned user for targeted remediation.

• Real-time alerts for compliance failures: Generate alerts for devices where encryption policies fail or encryption is disabled unexpectedly.

• Policy compliance verification: Validate that devices meet all encryption policies, including hardware compatibility and software configurations.

RELATED TOPICS

• Live dashboards

• Managing Remote Actions

• Configuration guide: BitLocker compliance