Automate Bitlocker Encryption
Syxsense Cortex is the one-stop shop automation framework for managing Windows, MacOS and Linux devices. Syxsense Cortex is included in Syxsense Secure and comes with a ton of build-in functionality.
For now, we will be covering how you can use a Syxsense Cortex workflow to safely provision BitLocker hard drive encryption on a remote endpoint. Hard drive encryption is one part of the larger set of work required to keep your company data secure. If a laptop or desktop computer is stolen and the device does not have an encrypted hard drive, the perpetrators will then have immediate access to the contents of the hard drive. Adding encryption eliminates or drastically reduces the risk to the data stored on the stolen device.
Unfortunately, enabling BitLocker across an entire fleet of remote machines can be a huge undertaking. This is especially true if those devices don’t check into the corporate network frequently. Each endpoint will need to report in that has not been encrypted. Then, an appointment must be scheduled with the end user to configure encryption on their device.
Following this, a technician gets to encrypt the endpoint. And then finally the device needs to reboot before it can be returned to the end user. This process can take hours, days or even weeks to coordinate. That timeline provides a significant window of risk while the device remains unencrypted.
How to Remotely Manage BitLocker Encryption
Syxsense Cortex provides the solution to that unmaintainable workflow by automating the whole process. Below is a full workflow which performs the entire BitLocker provisioning process, step by step to completion.
There are three primary phases to this workflow: Initiation (Phase 1), Roll-Out (Phase 2), and Completion (Phase 3).
Phase 1: Initiation
Below is shown the first stage of this Syxsense Cortex workflow. Each block represents a specific task which is being performed during the workflow.
To trigger this workflow, a policy is deployed to the affected endpoints. The policy is set to run any time that an endpoint changes its network. Once triggered, the endpoint immediately checks to see if it is on the corporate network.
To do this, the endpoint performs a ping request against a known IP address or hostname which is located on the corporate network. If the endpoint is able ping that address successfully, the task will end, as we can assume that the endpoint is currently located in an office and is not a high-risk device. Having confirmed the status, the task will end.
Note: In this example we are assuming that this task will run before the endpoint connects to any corporate VPN. If that is not the case, we could include additional logic during Phase One to verify whether the endpoint is connected to the corporate network over a VPN.
If the ping request comes back negative, the device is likely a remote device. The Cortex workflow will then trigger a system check to verify the status of BitLocker. If BitLocker is enabled, the task will again quietly end. If BitLocker is not enabled, an email will be passed to an administrator distribution list. This email prompts the administrators to approve or deny the next phase of the workflow. Because of the disruptive nature of this workflow, maintaining this pause and check task will decrease the likelihood of a negative outcome.
The administrators will then need to verify that the endpoint does in fact need BitLocker activated. Once the request is verified and the owner of the device has been alerted, the workflow can then be approved for Phase 2.
Phase 2: Role Out
Once the initiation phase completes, the device now moves into the roll-out phase.
During the roll-out phase, the endpoint is temporarily quarantined. When quarantined, the end-user will be informed of the quarantine status. Then, a PowerShell script initiates on the endpoint, enabling BitLocker encryption. Once the device is encrypted, the end user is prompted to reboot their computer. For this workflow, we opted to allow the end user to delay the Reboot for up to 4 hours.
If at any point during the configuration phase, the task sequence fails, an email will be sent to the administrator distribution list, informing them of the failure. They can then choose to manually end the active quarantine, or manually finish the task sequence. Once the reboot is finished, the device moves into phase 3.
Phase 3: Completion
Once the device successfully reboots from the roll-out sequence, the endpoint will then enter the final phase of the workflow:
First, the device is removed from the quarantine. Then, a final success email gets generated and sent to the administrator distribution list. The administrator can then use the Syxsense Console to confirm that the device inventory for that endpoint now has an active BitLocker encryption status.
Experience the Power of Syxsense
In addition to Syxsense Cortex, here at Syxsense, we’re also dedicated to providing IT security solutions that integrate all the tools you need into one, easy-to-use interface. As the first IT management and security solution that brings together vulnerability scanning and patch management capabilities into a single interface in the cloud, Syxsense Secure is yet one more way that you can harden your IT security against all threats.
We call it the future of threat prevention, but all you need to know is that you’ll get the ability to stop breaches, patch and quarantine devices and collaborate with others in the IT department to identify and close attack vectors. With the Syxsense line of products, you can stay informed, manage, and take action with the click of a button.
