Bitlocker

Are we talking about BitLOCKER (the "Microsoft Windows disk encryption") or BitDEFENDER here (new 3rd party AV we provide)?

If it's the latter then check this article -- How to get started with Ivanti Antivirus 2017 (Bitdefender Engine) .

If it's the former (i.e. - actual BitLocker) then you need to do your research on Microsoft pages & such. By and large, we can run commands remotely as Local System (so encrypting stuff), which is all doable, but you'd need to look into "what you need us to run".

You can also use PowerShell scripts if that's easier than "just running commands".

But by and large it amounts to "do your research to know what you need us to execute ... and that part's a doddle".

I'd be astonished if Microsoft didn't have some method of autmating it.

As an aside - most folks I'm aware of tend to enable / make use of BitLocker during an OS refresh / re-build ... seems to cause fewer upsets with users and allows you (/the admins) to register any necessary recovery keys centrally without needing to rely on end-users to do so (which is a common element of failure).

K - just wanted to make sure.

So yeah, should be "just" a matter of researching & developing the script (my guess, again, is Powershell being relatively easy).

If you're going to push this out onto (sort of) "unsuspecting" end-users, do be aware of their tendency to not follow instructions (such as informing you of recovery keys, etc) ... so where possible, try not to rely on them (again, one likely reason most folks I'm aware of who switch to BitLocker have done so as part of an OS-refresh / re-build process).

Correct me if I am wrong but I as confirmed already there is no built in way, however, at interchange 2018, i believe it was mentioned that a feature like this may be coming to a future release. But if you need something more immediate:

BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) | Microsoft Docs

Also,

Microsoft BitLocker Administration and Monitoring 2.5 | Microsoft Docs

lastly,

BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) | Microsoft Docs

I also know that WinMagic is a partner of Ivanti and you may want to investigate this:

LANDESK, WinMagic Provide Enterprise-Grade Encryption | Ivanti

While throwing all this information at you, you will have to figure out what choice is best for you and your environment.

I hope this helps.

I've had need of doing this in the past.  I would echo phoffmann about Powershell scripting.  I had success with deploying this in Ivanti using a Powershell script. You can force it to send the key to AD as well so you don't need to have the user track anything, but you'll need to know how to enable all of that on the back end with AD.

Once you build your script and test it locally or on a test device, pop it into a package in Ivanti, and try a deployment.  I'm not as familiar with the AD component, but after you actually enable it, you can check all of the rest either on the device directly or via an updated inventory scan (is encryption enabled?  what kind?).

Just to piggyback off the discussion (seeing as how phoffmann has contributed and his word is GOLD in my environment), what reporting in terms of Ivanti 2017.3 would we be able to obtain in relation to Bitlocker [other than it being present]?  Does Ivanti collect inventory data [by default] that would let us know the encryption status of drives? If not, are you all aware of a proven method to put in place to track that data in Mgmt Console?

Ivanti does appear to collect inventory data that would provide encryption status.  This is located in inventory under Mass Storage > Drive Encryption, where selection of the drive would show basics (conversion status, encryption method used, encryption percentage, lock status, protection status).  I query those things to validate encryption status on the device itself.

I realize I didn't drop in the powershell command or provide more detail on the AD component. 

To enable encryption: you want to use the Enable-Bitlocker command.  Your organizational needs will vary on what you want to set up here.
To enable backup to AD, you may want to set up a GPO along these lines.

Thanks! I'll take a look at our data. At first glance, we don't have "Drive Encryption" listed under "Mass Storage" in our current inventories. I do, however, see it as an item to be queried. Maybe I need to take a look at out Inventory Settings in the config...(?)

We're exploring Bitlocker in our shop. Currently we're using McAfee but we're wanting to condense our security stack spread as far as vendors go.

Just to piggyback off the discussion (seeing as how phoffmann has contributed and his word is GOLD in my environment),

Optimist

But aside from that - what SGolden_00 (Thanks!) stated is on the money. Inventory will report on the encrypted status of drives (in simple terms) ... if that's good enough for, that's great.

Otherwise, you can always go the "custom data" route (and - for instance - dump the data you want into the registry & pick that up, for instance). See here for more info -- Issue: Custom Data Registry Scan Not Working: How To Pull Registry Information Using The Manage Software List -- . Heck - you could do it as a custom vulnerability if you so wanted .

There's usually "at least 3 different ways of achieving the same thing" with EPM (something I've been saying for going on 10 years now, I think) ... just a matter of "which you like the most" so to speak .

brad.e.smith wrote:

 

Thanks! I'll take a look at our data. At first glance, we don't have "Drive Encryption" listed under "Mass Storage" in our current inventories. I do, however, see it as an item to be queried. Maybe I need to take a look at out Inventory Settings in the config...(?)

 

We're exploring Bitlocker in our shop. Currently we're using McAfee but we're wanting to condense our security stack spread as far as vendors go.

I understand the thinking behind this, but "word of warning" ... this CAN lead to issues where SPOF ("single point of failure") applies.

"Oh noes - that 0-day vulnerability to 'Our_Vendor_Here'..."-conversations can get very iffy when there's a SPOF factor that laid bare the keys to your kingdom, as it were. It's the sort of thing which is why I've been coming around in recent years of having a preference for "multi-vendor" tiered security as well ... yes, it causes various "fun" situations in its own right ("Oh yay, X doesn't play nice with Y ...") ... but one does need to balance that with a SPOF can be a big risk.

It's one of those "whichever path you go down, it's going to cause you some problems" sort of choice, but I figured I'd pipe up about an alternate perspective, if it's any help.

SGolden_00 and phoffmann , thank you BOTH for such quick and helpful feedback!

If you are looking at using Bitlocker with MBAM, see my post How To: Deploy MBAM 2.5 SP1 on Windows 7 with LDMS 9.6 SP2 . It's stayed the same for the most part.

If you are looking at enabling just Bitlocker, you can create an action that will use manage-bde -on C: where C is the letter of the drive you want to encrypt.