Using BitLocker for Windows disk encryption

Microsoft BitLocker is a disk encryption technology for Microsoft Windows systems. It prevents data from being exposed to unauthorized users by providing encryption for entire volumes. It also helps protect the integrity of data against firmware-level malware. For more information, see https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview.

KACE Cloud uses the MS BitLocker configuration service provider (CSP) to manage encryption of MS Windows devices. For complete information about the BitLocker CSP, see https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp.

BitLocker employs the Trusted Platform Model (TPM), a hardware component included with newer device models. The TPM works with BitLocker to help protect user data and to ensure that a computer is not tampered with while being offline.

BitLocker also comes with additional security measures such as multi-factor authentication. This feature allows you to lock the device startup process before the end user provides a PIN code or inserts a USB device containing a startup key. This mechanism prevents the device startup or its ability to resume from hibernation until the valid PIN or startup key is supplied.

Recovering data from drives encrypted with BitLocker requires specific configuration options that are stored in Active Directory. If they are not accessible, BitLocker can use data recovery agents to decrypt protected drives. A data recovery agent is an account typically based on a smart card or certificate which can be used for decrypting with BitLocker.

BitLocker configurations can be created and managed in KACE Cloud Library, and applied to devices, as applicable. A BitLocker configuration can also be applied to one or more devices using a policy.