The IT Guide to Enforcing Full Disk Encryption – Windows Edition

By Zach DeMeyer Posted November 27, 2019

Full disk encryption (FDE) is one of the most critical security features to enable on your users’ systems. Realizing this, both Microsoft® and Apple® created FDE software for their respective operating systems. In this post, we will focus on Bitlocker, Microsoft’s FDE solution, and guide you on how to enforce FDE for Windows® systems.

What is Full Disk Encryption?

When enabled, FDE software like BitLocker encrypts the hard drive while its data is at rest. In order to unlock the drive for use — that is, decrypt it — the system’s user needs to enter their password. That way, if a bad actor steals a machine and removes the hard drive, they still cannot access the data stored on it.

As a failsafe, Bitlocker and other FDE software generally include some sort of recovery key that unlocks a drive in case an IT admin removes the drive from a damaged system or the user forgets their password. These keys need to be properly managed to ensure that the drive can be securely recovered later if need be, but more on that in a second.

Why FDE?

Over the years, many hackers have breached an organization because a stolen system or hard drive contained confidential information. By locking down the drive entirely, organizations prepare themselves for the worst and rest assured knowing their data is encrypted at-rest.

Additionally, several compliance regulations demand some form of disk encryption to meet requirements. Enforcing FDE for Windows (and other) systems ticks that major box on IT admins’ compliance checklist.

Enforcing FDE for Windows

Enabling Bitlocker

For Windows, IT admins can enable BitLocker fairly easily by means of a policy or software solution specific to managing Bitlocker. The process is generally straightforward; an admin chooses a Windows system (or group of systems), and turns on Bitlocker using one of these methods. By the next system reboot, Bitlocker encrypts the at-rest hard drive.

Managing Bitlocker

Although enforcing FDE on Windows systems is relatively easy, managing Bitlocker FDE after the fact is another story. Many FDE enablement (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at:

Zach DeMeyer

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

zach-demeyer has 352 posts and counting.See all posts by zach-demeyer