Enterprises with many Windows devices might struggle to know which have BitLocker enabled or where to find BitLocker recovery keys. These techniques can help. Credit: Koldunov / Getty Images A recent Microsoft Support knowledgebase article and servicing stack update for Windows operating systems offers a fix for a race condition issue introduced by a secure boot feature update, which caused patching to trigger a BitLocker recovery password. It reminded me that we often forget which devices have BitLocker. When you patch, BitLocker is normally silent and doesn’t interfere in the patching process. BitLocker is designed to be silent, so much so that you might forget which machines have it enabled and which ones do not.Microsoft recently announced that it will add advanced management tools to track and manage BitLocker in the coming months to SCCM and Intune. In the meantime, what can you do to inventory your network to determine which devices have BitLocker? Plenty. Using PowerShell to find BitLocker-enabled devicesLet’s start off with PowerShell. The manage-bde -status c: command indicates whether BitLocker is enabled on the device. Susan BradleyBitLocker enabledIf the device does not have BitLocker, it will indicate the drive is fully decrypted. Susan BradleyBitLocker not enabledIf you need to determine if BitLocker is enabled remotely, add the name of the computer to the command: manage-bde -status -computername **computername** Finding multiple BitLocker-enabled devicesWhat if you want to review more than one computer at a time? Use Azure AD or Intune to review the status. For devices registered with Intune, use the Intune Encryption report to determine the status. Sign in to the Intune portal and go to “Device Configuration”, and then under “Monitor” select “Encryption report”. Susan BradleyIntune drive encryptionThe report gives you an overview of the computers that have encryption enabled, the operating system, the operating system version, the TPM version, encryption readiness, the status of the encryption and the user principal name assigned to the system.Managing BitLocker recovery keysManagement of BitLocker recovery keys often concerns large organizations, especially the ability to store them safely. When a system has been joined with Azure AD, even if the BitLocker encryption process is self-managed, the user will be prompted to save the BitLocker credentials at the beginning of the encryption process. You can save the recovery key to a file, by printing it out and, best of all, automatically saving the recovery key to a cloud domain account. Once the recovery key is backed up, you can recover the BitLockered device should something occur to the drive. Susan BradleyRecovery key optionsIf you’ve ever added a Microsoft account to a Surface device and then run into a recovery problem, you know that a Surface device automatically backs up the BitLocker recovery key to the Microsoft account. BitLocker recovery keys can be found and accessed several ways. If the system logs in with a Microsoft account, look for the BitLocker recovery keys under the device information. Log into your Microsoft support account using another device. You will see the BitLocker recovery key listed: Susan BradleyMicrosoft account recovery keysIf you needed to provide the recovery key for the drive during the boot process, log in using a different device, log into the devices recovery key website listed with your Microsoft account credentials, copy the recovery key, and enter the key into the BitLocker recovery window process.If the device is hooked to Azure AD, find the BitLocker recovery key in the device information linked in your Azure AD section, Susan BradleyAzure AD BitLocker keysIf you don’t have access to Azure AD, you can use on-premises Active Directory to manage your BitLocker recovery keys. As long as you have Server 2012 or higher, the ability to manage BitLocker recovery keys is enabled by default. To view the recovery keys, enable the BitLocker Drive Encryption Administration utility. Earlier versions of active directory schema need additional configuration.It’s key in this era of mobile data to ensure devices are encrypted. Should the laptop be stolen, if an attacker attempts to reset the password or remove the hard drive to read the information on the drive, BitLocker ensures that an attacker cannot read the information on the encrypted disk.BitLocker is just one tool of many to keep data safe. Managing BitLocker recovery keys has become much easier and more end user friendly if one uses either Microsoft accounts or Azure AD accounts to manage them. Review your current BitLocker management processes and to see if you can streamline them to be more efficient and easier to manage. Related content feature The biggest data breach fines, penalties, and settlements so far Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. By Shweta Sharma and Michael Hill Apr 26, 2024 16 mins Data Breach Security news New CISO appointments 2024 Keep up with news of CSO, CISO, and other senior security executive appointments. By CSO Staff Apr 26, 2024 14 mins CSO and CISO IT Jobs IT Governance news Top cybersecurity product news of the week New product and service announcements from Forcepoint, Ionix, Amplifier Secutiry and Torq. By CSO staff Apr 26, 2024 81 mins Generative AI Security feature Looking outside: How to protect against non-Windows network vulnerabilities Security administrators who work in Windows-based environments should heed the lessons inherent in recent vulnerability reports. By Susan Bradley Apr 25, 2024 7 mins Windows Security Network Security Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe