Windows BitLocker
BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive.
BigFix MCM provides a hybrid full-disk encryption solution for Windows devices, which uses MDM policies for enforcement of the encryption settings, while using the BigFix agent and the manage-bde CLI to perform encryption actions. This allows for greater control as well as the ability to do more unattended setup and configuration.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde
Prerequisites
- Trusted Protection Module (TPM) on Windows
-
The endpoint must be correlated; must be enrolled in BigFix MCM and must have BigFix agent installed.
For a complete information about system requirement, see https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview#system-requirements
Configuration options
- Fixed/removable drives require encryption
- Encryption methods
- Custom recovery message
- Basic TPM Readiness checks/status reporting (Check if the device can be encrypted)
- Gathering encryption status/data through the BigFix agent.
- Reporting is done through agent analysis with relevance using WMI calls
BigFix MCM enables BitLocker using the TPM to encrypt the system drive using AES-256. At this time, only the system drive can be encrypted, but policy setting that fixed and removable drives must be encrypted can be set, and the end user can enable BitLocker using appropriate methods to be compliant.