Skip to main content

BitLocker Management for Windows 10 and 11

Description

This Compliance Pack helps you report on BitLocker status and, when assigned, enable BitLocker on supported Windows 10 and Windows 11 devices. The Custom Fields report recovery key and encryption status. The enforcement Fileset can take action, so test it on a small Windows group before wider deployment.

Ingredients

  • FileWave Central

  • Windows OS systems running a version of Windows that is licensed for BitLocker

  • BitLocker Fileset

    • Activation: Associate the Fileset with Windows clients to enable BitLocker.

    • Deactivation: Remove the association to disable BitLocker.

    • Customization: The script within the Fileset includes specific options that can be customized by administrators based on organizational needs.

  • Custom Fields

    • BitLocker Key: Displays the recovery keys for encrypted drives. For example, "C:, 219296-176121-018458-479017-019437-305833-463155-542608". After importing the Custom Field, choose to assign it to specific devices or all devices.

    • BitLocker Status: Presents the current encryption state, such as "Conversion Status: Used Space Only Encrypted".

BitLocker Compliance Pack
FileWave Download.png

Directions

Download

  1. Download the BitLocker Compliance Pack.

    • Unzip the zip file and you will find a Fileset as well as a Custom Fields file.

BitLocker Custom Fields

The Custom Fields report BitLocker information only. They do not encrypt devices or change BitLocker settings. Use the steps below to import and assign them.

  1. In FileWave Central go to Assistants -> Custom Fields -> Edit Custom Field Definitions.
  2. Click "Import" and pick the .customfields file from the zip you downloaded.
  3. For both BitLocker Key and BitLocker Status, select the Custom Field and check "Assigned to all devices" if you want to capture the status for all devices. To scope reporting to specific devices, select those devices in the Clients view, right-click, and choose Edit Custom Field Associations.
  4. Add the two new fields to the Clients view or to any Reports (formerly Queries). Run a Model Update, then wait for devices to report inventory before expecting data to appear. 

Bitlocker Enforcement Fileset

This Fileset will take action on devices when assigned. Test it first and confirm the encryption behavior before applying it broadly. When you associate it with a capable Windows device, that device encrypts, and the Custom Fields report the result after inventory runs. Reporting is not immediate because FileWave needs a new inventory check-in; use Verify during testing if you want the device to report sooner.

  1. Drag and drop the Bitlocker Enforcement.fileset in to your Filesets area in FileWave Central.
  2. Move it to wherever you would like it in the Filesets area.
  3. Create an Association or a Deployment to assign it to a device.
  4. Watch the device encrypt by checking the drive properties in Windows Explorer or by running 

    manage-bde.exe on that computer. The Custom Fields do not update in real time, so checking locally is the clearest test signal.

  5. Notice what happens if you break the Association. The device will decrypt.

To inspect how the pack works, select the Fileset and open Scripts from the toolbar. The Fileset includes one script to encrypt and one to decrypt. If encryption fails, check the Fileset log directory under C:\ProgramData\FileWave\log\fwcld\. Each Fileset has its own ID-numbered directory. Also confirm that the Windows edition supports BitLocker; FileWave can only enable BitLocker when the operating system includes that capability. The encryption script includes options you can adjust if your organization needs different BitLocker settings.