Full disk encryption (FDE) is an important feature IT admins can use as an added layer of security for their fleet of systems. FDE encrypts a system’s hard drive while at rest and protects its data in the case the system is lost or stolen.
Compliance regulations often require FDE, too, so it might be a necessity in order to meet those obligations and pass audits. Whether you’re an admin who wants to enforce FDE across your fleet for general security purposes or for regulatory compliance (or both), you’ll want to ensure you’ve done so systematically. There are various methods to check if FDE is on for your endpoints, depending on the operating system.
Full Disk Encryption for Windows: BitLocker
For admins who are managing Windows® machines in Active Directory®, there are two key methods to query BitLocker information.
Admins can check the status of BitLocker on an individual Windows® system through Windows Explorer or the control panel on the machine. The admin has to be in front of the individual machine to do this, which won’t work in most cases, particularly in large organizations or those with remote workers.
They can also use the PowerShell command Get-BitLockerVolume. It returns information about BitLocker and its implementation, such as the percentage of the volume currently encrypted. Some cloud directory service platforms provide the ability to query this information, too.
Looking for more information about BitLocker management in the enterprise, including enabling it and storing recovery keys securely? Check out this video:
Full Disk Encryption for Mac: FileVault2
IT admins can check the status of FileVault on an individual Mac system through the machine’s system preferences. In this case, too, the admin has to be in front of the individual machine.
However, there isn’t a straightforward PowerShell command or equivalent way to remotely monitor Mac systems in AD. Although AD excels in its management of on-prem Windows devices, it doesn’t extend the same capabilities to Mac devices.
Another option is to seek a third-party solution (like a Mac-specific MDM) to layer on top of AD, but that will have Mac-specific returns. In a heterogeneous environment, an OS-agnostic solution would be the most straightforward option to automatically check a fleet at once.
Searching for more information about FileVault management in the enterprise, including automating implementation and storing recovery keys in escrow? We’ve got a video for that:
Full Disk Encryption for Cross-OS Endpoints
Ideally, IT admins with an environment that includes both Windows and Mac machines would find a single solution to deploy, manage, and monitor FDE at scale, regardless of operating system.
One such option is JumpCloud — through which admins can enforce BitLocker and FileVault at scale via Policies.
JumpCloud’s System Insights also provides cross-platform monitoring, including reporting on systems that don’t have FDE enabled. Through System Insights, admins can generate a list of unencrypted systems and take action immediately. Learn more about cross-OS endpoint visibility and what it could mean for your organization.