BitLocker Drive Encryption

Overview

BitLocker is Microsoft’s full volume encryption (FVE) technology, released in early 2007.

We use Microsoft’s Configuration Manager to create and deploy BitLocker FVE policy for all managed devices running Windows Desktop OS on a physical computer. Prior to managing BitLocker with Config Manager, BitLocker was managed with Microsoft’s BitLocker Administration and Management (MBAM). The default encryption policy we configured for MBAM was AES 256-bit encryption, a precursor to the XTS-AES 256-bit encryption we use today. The OS drive and all fixed drives are encrypted. In most cases you will only be dealing with one OS drive and zero fixed drives.

At the start of the encryption process, a recovery key is generated for each OS and fixed drive. Recovery keys are escrowed — encrypted — in the Config Manager database.

In the case where a drive is locked, a recovery key is needed to unlock it. The drive’s recovery key can be retrieved by departmental IT from the helpdesk portal. Access to the portal from off-site requires a VPN connection to campus.

Some devices were not encrypted by MBAM or Config Manager, using other encryption methods. Devices that are not encrypted with XTS-AES 256-bit will receive a BitLocker policy whose configuration matches the drive’s encryption method. This allows the devices to show as compliant in reporting. Recovery keys for these device’s OS and fixed drives will be escrowed in the Config Manager database.

Helpdesk portal

NC State BitLocker Helpdesk portal

The Helpdesk portal’s target audience is departmental IT retrieving a recovery key on the user’s behalf. The helpdesk portal is not accessible by user’s that do not have a .admin account.

The User Domain field will always be wolftech and the User ID field has to be the Unity ID of an account that has signed in interactively to the computer. RDP connections do not count.

You can see which users have signed into a computer by looking at the device’s hardware inventory with Resource Explorer in Config Manager. User Profile Health is the inventory item to look at.

The Helpdesk portal will prompt for authentication. Sign in with your .admin account.