BitLocker Management

Last modified by Jannis Klein on 2024/08/13 08:20

ACMP BitLocker Management helps you centrally manage your operating system and hard disk encryption for added protection against external threats. BitLocker is a Microsoft security feature that allows you to encrypt your hard drives. This helps protect your data by preventing unauthorised reading or theft of sensitive information.

Configuration Profiles allow you to make settings directly on the client and apply them using a container or query action.

Version note  Version note:  

BitLocker Management is available in ACMP version 6.4 and above.

System requirements for BitLocker

  • ACMP agent (not OSC or other)
  • Operating system Windows 10 (Pro or higher) version 1511 or Windows Server 2016 version 10.0.10586
  • TPM version 2.0 must be enabled
  • UEFI mode must be available
  • Powershell scripts must be able to be executed
  • The Client ID must be unique in ACMP.

Hinweis  Note:  

If ACMP detects a duplicate Client ID, no BitLocker Configuration Profile can be assigned to the Client. For this reason, the Client ID must be unique.

Allow the logged-in user to change the password

Hinweis  Note:  

In the following section, we define both the system start PIN and the password.
The system start PIN is queried when the computer is booted and is only valid for the operating system drive. This PIN can be restricted to either alphanumeric or numeric only.
The password can only be limited in minimum length and must always be alphanumeric. It is used for all other fixed data drives except the operating system drive.

There are two ways to allow users to change a password at the Client.
Either you make the password change available to the user via the ACMP Kiosk, or you run a query action that displays a dialogue to the user at the Client, where a new password can be assigned.

Changing the BitLocker password using ACMP Kiosk

If you want to allow your users to change their BitLocker password at any time, follow these steps:
First navigate to the ACMP Kiosk (Client Management > ACMP Kiosk). Then click on Add Items and select System Jobs. A menu will open where you can select Options Change BitLocker password. Confirm the selection and a wizard will start to guide you through the process. Enter all the required information and exit the wizard.

64_BitLocker Management_ACMP Kiosk_815.png

Change BitLocker password via ACMP Kiosk

The user at the Client who has been given the password change can now access the shortcut via the ACMP Kiosk. After opening the Kiosk, the user has to click on Execute, which opens a dialogue on the Client. This dialogue allows the user to change the password. Under Drives, the user can select the drive for which the password is to be changed.

Hinweis  Note:  

The Drives field lists all drives that are BitLocker-encrypted and have a startup PIN or password.

If the drive is currently locked, the user will also need to enter the old password.

Hinweis  Note:  

If the password is no longer known, the password change must be executed via the query action.

64_BitLocker Management_Passwort ändern_448.png

Change BitLocker password

Change BitLocker password via query action

If you do not want users to be able to change the password at any time without asking you again, you can make the changes by using a query action. This option can be started on demand.
To do this, open a query and select the client on which you want the user to change the password. Then click the BitLocker Management button and select Change BitLocker drive passwords. Confirm the action by clicking Execute.

64_BitLocker Management_Passwort ändern_Query Action_448.png

Dialogue window for changing the BitLocker password via the query action

A dialogue box opens on the user's Client, allowing the user to change the password of a drive. The user can select the required drive, enter the new password and confirm. Click the Change Password button to save the changes. However, if several passwords for different drives are changed, the process must be repeated each time before the dialogue is finally closed with Close.

Hinweis  Note:  

When changing the password using the query action, it is not necessary to enter the old password for a locked drive, as the recovery password is used.

Disable BitLocker

If you want to disable BitLocker on one of your Clients, the only way to do this is through a Query Action. You will need to select all the Clients you want to disable BitLocker on. Then click the BitLocker Management button and select Disable BitLocker. You can choose to disable BitLocker on the operating system hard disk and/or fixed data drives. For the fixed data drive, you can choose to decrypt the entire drive or only selected partitions. If you choose the latter option, you will need to manually select the drives from the list.
Once you have started the job, the selected disks will be decrypted on the relevant Clients

Hinweis  Note:  

If a Configuration Profile is still assigned to the Client, the drives will be reencrypted according to the settings in the Configuration Profile. This ensures that the disks that the Configuration Profile settings specify will always be encrypted for those Clients.

64_BitLocker Management_Deaktivieren.png

Disable BitLocker via a query action

Stop and continue BitLocker protection (system jobs)

If you have a Client where the operating system drive is encrypted, you can optionally require a system start PIN when the system boots. This means that the Client's operating system will not continue until the user has successfully entered the PIN. For example, if you run a Client command or job on the Client that requires a reboot, the job may not continue until the user has entered the PIN. To work around this, you can temporarily disable the protection so that the PIN is no longer requested. This can be done, for example, by running a system job in a Job Collection, thus temporarily suspending the system start PIN entry.

Hinweis  Note:  

System jobs can be retrieved wherever you can run a job.

Navigate to the Job Collection (Jobs > Job Collection) and select the appropriate Collection that you want to use to pause BitLocker protection. The BitLocker-specific jobs can be found in the System Jobs drop-down box. If you have a Client Command or Job that requires a possible restart, you can create a Job Collection for it using the Stop BitLocker protection job. To do this, first set the Stop system job for BitLocker protection, and then add the possible job or command to the collection.

64_BitLocker Management_Job Collections.png

Stop and enable BitLocker protection

If the command or job does not require a restart, and therefore the client is not restarted, it is possible that BitLocker protection will be removed. However, you can play it safe and ensure that protection is always re-enabled by using the Turn on BitLocker protection system job. To do this, set the system job to Resume BitLocker protection after the job or client command. This enables the protection again.

Managing BitLocker in Client Details

You can view the details of the BitLocker settings from the Client Details (Software > Security > BitLocker Management). All drives of the selected Client are listed.

64_BitLocker Management_Client Detqails_840.png

BitLocker Management in the Client Details

The General tab allows you to view the general status, the protection status of the drives on the Client and which key protectors are being used. Further details are stored and displayed for each drive. For example, you can see at a glance the encryption method, hard drive size and encryption status.

Hinweis  Note:  

If you want to view the properties for BitLocker management, you can explicitly select fields that you can use for queries, filters, reports etc. 

You can also use Detail View to view the recovery password with the appropriate permissions. To do this, click the Show recovery password button and copy the password if necessary. If you have selected an automatically generated password for the key protectors of the hard disks, you can view it by clicking Show automatically generated password.

Warning  Warning:  

The user-defined passwords and system start PINs are not stored in ACMP!

The Configuration Profiles tab shows which profile has been assigned to the Client. It can be identified by the name and the type of assignment (manual assignment or via a container). You cannot make any direct changes here, you have to go back to the Configuration Profiles.

Next recommended steps:

© Aagon GmbH 2024
Besuchen Sie unsere neue Aagon-Community