Application Resilience policies for BitLocker
You can activate an Application Resilience policy for Microsoft BitLocker® (BitLocker) to enable the Secure Endpoint Agent to collect information about the functional status of BitLocker and to view the results in reports. The agent can also detect whether a device's BitLocker settings comply with, and do not comply with, your organization's drive encryption policies. For example, your organization may have set up the following encryption policy and you want to verify that your devices comply with it:
- BitLocker is integrated with Microsoft BitLocker Administration and Monitoring (MBAM Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprise management tool for Microsoft BitLocker Drive Encryption that facilitates deployment, key recovery, and compliance reporting.)
- Only the operating system drive is encrypted using an encryption strength of AES-256
You can also configure the policy to attempt to repair or reinstall BitLocker.
NOTE Application Resilience is not supported for this application on devices running Windows 11 SE.
BitLocker is included with most versions of the Windows operating system.
You can activate BitLocker policies on devices running:
- a supported version of the Windows operating system
- PowerShell version 5.1 or higher
-
the following version of the Standalone BitLocker or BitLocker integrated with Microsoft BitLocker Administration and Monitoring:
- 2.5.x
NOTE Devices using Microsoft BitLocker To Go are not supported.
Report higher versions as Compliant is not available.
In addition to checking the version, the following table describes the health checks performed:
Component | Test performed | ||
---|---|---|---|
Services | Installed | Running | Signed by |
Windows Management Instrumentation (Winmgmt.msc) | P | P |
n/a |
Partition | |||
A valid partition is found |
If your organization uses MBAM to manage BitLocker, the following health checks are also performed:
Component | Test performed | |
---|---|---|
Services | Installed | Running |
|
P | P |
MBAM service endpoint URLS | In the device's registry | |
|
P |
You can configure an Application Resilience policy for BitLocker to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair BitLocker if it's not functioning, or reinstall the MBAM client if it's missing or can't be repaired.
NOTE Depending on the Absolute product licenses associated with your account, the Report and repair option, and the Report, repair, and reinstall option may not be available.
The RAR component of the Secure Endpoint Agent can respond to the following issues:
Issue | Resolution |
---|---|
Repair | |
The Windows Management Instrumentation (Winmgmt.msc) service isn't functioning correctly | The RAR component restarts the Windows Management Instrumentation (WMI) service. If that action fails to repair WMI, the component attempts to rebuild the WMI. |
A valid system partition isn't found | BitLocker requires at least two partitions. When a system partition isn't found, the RAR component runs the BitLocker Drive Preparation Tool to create a second volume, setting its size to 300 MB. |
NOTE For standalone BitLocker deployments, the RAR component is unable to encrypt drives as part of the repair process.
MBAM integration
If your organization uses MBAM to manage BitLocker, the RAR component can also attempt to respond to the following issues:
Issue | Resolution |
---|---|
Repair | |
The BitLocker Management Client Service isn't running | The RAR component restarts the service. |
The MBAM service URLs in the device's registry are incorrect or not found | The RAR component updates the device's registry with the MBAM service URLs specified in the BitLocker Application Resilience policy. |
Reinstall | |
The BitLocker MBAM client failed to be repaired, or the expected version isn't installed |
The RAR component downloads and installs the configured version of the client. NOTE Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken. |
You can add a 32-bit installer, a 64-bit installer, or both. The installers:
-
must be EXE files
-
can have any file name
The RAR component looks for the following files names when checking pre-cached installers:
Component | File name |
---|---|
Installers | MBAMClient.exe |
Before you activate an Application Resilience policy you need to configure the policy. Configure these settings in addition to the settings in Configuring Application Resilience policies.
To configure the BitLocker specific settings:
-
Under BitLocker Setup, select one of the following options:
-
Standalone BitLocker: Select this option if either of the following configurations apply:
- Your organization is not using a management tool to manage BitLocker on your devices
-
Your organization is using another management tool, such as Microsoft System Center Configuration Manager (SCCM) or Microsoft Intune, to manage BitLocker on your devices
NOTE If you are using SCCM to manage BitLocker, you can also configure an Application Resilience policy for SCCM to repair and reinstall SCCM.
- BitLocker with standalone MBAM: Select this option if your organization is using MBAM Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprise management tool for Microsoft BitLocker Drive Encryption that facilitates deployment, key recovery, and compliance reporting. to manage BitLocker on your devices.
-
- Under Encrypted Drives, select the drives that you expect to be encrypted on the devices. OS Drive is selected by default but you can clear this selection. If you expect all drives to be encrypted, select All Other Local Drives so that both options are selected. You must select at least one option.
- Under Minimum Partition Size (MB), enter minimum size that can be configured for the system partition drive. The default value is 100 MB.
-
Select one of the following Encryption Strengths, depending on which strength should have been used to encrypt the devices' drives.
- AES-128
- AES-256
- Any encryption strength
-
If you selected BitLocker with standalone MBAM in the BitLocker Setup field, specify the location of the MBAM service endpoints configured in your MBAM Group Policy settings.
-
In the Location of the MBAM Recovery and Hardware service endpoint field, enter the following URI:
<protocol>://<hostname>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc
The variables are defined as follows:
- <protocol> is http or https.
- <hostname> is the MBAM Administration and Monitoring server name.
- <port> is the port number used by the web service. [Optional]
- Test that you've entered the URI correctly by clicking Go to URI. If the Windows Communication Foundation Service page opens, the URI is configured correctly.
-
In the Location of the MBAM Status reporting service endpoint field, enter the following URI:
<protocol>://<hostname>:<port>/MBAMComplianceStatusService/StatusReportingService.svc
The variables are defined as follows:
- <protocol> is http or https.
- <hostname> is the MBAM Administration and Monitoring server name.
- <port> is the port number used by the web service. [Optional]
- Test that you've entered the URI correctly by clicking Go to URI. If the Windows Communication Foundation Service page opens, the URI is configured correctly.
-