Enforce Bitlocker Encryption

What the BitLocker Enforcer does

This Automox Worklet™ enables BitLocker encryption on unencrypted drives using TPM (Trusted Platform Module) for secure key storage. The Worklet configures TPM as the primary key protector and adds your choice of recovery key files, recovery passwords, or both for emergency access to encrypted drives.

The Worklet supports three encryption methods: AES-128 for balanced security and performance, AES-256 for maximum security, and hardware encryption for drives with built-in encryption support. Full drive encryption (not used space only) protects all data including deleted file remnants and free space.

Drive targeting options include encrypting all physical drives, only the operating system drive, or a specific drive letter. The Worklet validates TPM presence and readiness before attempting encryption and skips endpoints without functional TPM chips.

Why enforce BitLocker encryption

BitLocker provides full disk encryption that protects data when endpoints are lost, stolen, or improperly decommissioned. Without encryption, anyone with physical access to a hard drive can read its contents by mounting it in another system. BitLocker makes this data inaccessible without the encryption keys.

Regulatory compliance frameworks increasingly require encryption for endpoints that handle sensitive data. HIPAA, PCI-DSS, GDPR, and SOC 2 all include requirements for data-at-rest encryption. BitLocker satisfies these requirements using industry-standard AES encryption algorithms.

TPM-based BitLocker provides transparent encryption that does not require users to enter passwords at boot time under normal circumstances. The TPM chip validates system integrity and releases encryption keys automatically when the endpoint boots normally. Recovery keys or passwords are only needed when hardware changes or security anomalies are detected.

How BitLocker enforcement works

1. Evaluation phase: The Worklet first verifies TPM presence; endpoints without TPM exit as compliant (not applicable). It then checks the target drives (all, OS, or specific letter) for encryption status. Drives with VolumeStatus 'decrypted' or 'EncryptionInProgress' trigger remediation. Progress percentage is reported for drives currently encrypting.

2. Remediation phase: The Worklet validates TPM is present, enabled, and ready. It gathers unencrypted drives matching the target criteria, creates the recovery key directory if needed, then processes each drive: adding TPM protector, adding recovery key and/or password protectors based on configuration, and enabling BitLocker with the specified encryption method. Recovery credentials are output to the activity log for backup.

BitLocker encryption requirements

• Windows 8 or later, Windows Server 2012 or later

• TPM 1.2 or later (must be present, enabled, and ready)

• PowerShell 4.0 or later

• Administrative privileges to configure BitLocker

• Configure $drive (all, OS, or letter), $encryption (AES128, AES256, Hardware), $recoveryType (Key, Password, Both), and $keyPath if using recovery keys

Expected encryption state after remediation

After remediation, BitLocker encryption starts on all targeted drives. Encryption runs in the background and can take several hours depending on drive size. The activity log contains recovery key file locations (for Key/Both types) and 48-character recovery passwords (for Password/Both types). Store these credentials securely as they are required to unlock drives if TPM validation fails.

Monitor encryption progress using Get-BitLockerVolume, which shows EncryptionPercentage for each drive. Once complete, drives show ProtectionStatus as 'On' and VolumeStatus as 'FullyEncrypted'. The endpoint remains usable during encryption, though performance may be reduced until the process completes.

How to validate enforce bitlocker encryption changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for enforce bitlocker encryption.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-Tpm, Write-Output, Get-BitLockerVolume.

4. Validate remediation effects from script operations such as Get-Tpm, Write-Output, Test-Path, then rerun evaluation for compliance.