Starting with SEE Bitlocker 11.2.0, there are multiple configuration options that can be used including:
*AES encryption Strength 128-256 Bit encryption *XTS-AES encryption mode *Trusted Platform Module (TPM) *TPM and PIN *Fall back to password if TPM is unavailable for Windows 8 or above *Decrypt all volumes
When SEE BL is deployed to a machine, there are no additional steps to take for the machine to be encrypted. No GPO policies need to be configured, Symantec Endpoint Encryption for Bitlocker will initiate encryption automatically. In some cases, automatic encryption will not start immediately.
The SymBitLockerService00.log can be used to help diagnose some of the encryption issues. In one scenario, where TPM ownership has not been taken, the following errors can appear in the logs:
[12/08/18 15:42:38][DEBUG][0x2F80][SymBitLockerService][SYSTEM][TPM is not Ready][SymBitLockerPolicyApplier.cpp:1062]
[12/08/18 15:42:38][INFO][0x2F80][SymBitLockerService][SYSTEM][TPM is Enabled][SymBitLockerPolicyApplier.cpp:1068]
[12/08/18 15:42:38][INFO][0x2F80][SymBitLockerService][SYSTEM][CheckAuthenticationPolicyCompliance::Got Authentication Type TPM][SymBitLockerPolicyApplier.cpp:687]
[12/08/18 15:42:38][DEBUG][0x2F80][SymBitLockerService][SYSTEM][Key protector type = 1 not found][SymBitLockerPolicyApplier.cpp:155]
[12/08/18 15:42:38][VERBOSE][0x2F80][SymBitLockerService][SYSTEM][CheckEnforceAuthPolicyRequired:: Key protector type = 1][SymBitLockerPolicyApplier.cpp:592]
In order to ensure automatic encryption succeeds with SEE BL, ensure the client has connectivity to the SEE Management Server. SEE BL encryption will not start if the Recovery Keys are unable to be sent to the server.
In reference to the errors observed above, we can see TPM issues are taking place. In this case, ensure TPM Ownership has taken place.
To do so, open the TPM.msc snap-in from the start menu, and check the Status. Typically, when TPM ownership has taken place, the status will state "The TPM is ready for use".
It may be necessary to reboot the machine after TPM ownership has taken place, but this is a good check to ensure TPM Ownership has taken place.
There are some other useful Powershell commands to check TPM status that will help indicate TPM ownership has taken place, including the following:
TIP: Run Powershell as Admin to run these commands.
This command will provide some good overall information on the TPM status, including the "TpmReady" option. TpMReady should always be set to "True" in a working system.
An additional command that can help cross reference the TPM status is the following, which will also give the "IsReady" value, which should be set to "True":
There are some scenarios where pre-provisioning has taken place where a user has never logged in to a machine before. For these types of scenarios SEE Bitlocker can be deployed once TPM ownership has taken place to manage the recovery keys.