Encrypting Windows endpoint drives

Coro enables you to remotely encrypt drives installed on Windows endpoint devices. Drives can be fixed or removable.

note

Coro uses an implementation of Microsoft BitLocker for drive encryption. See Microsoft BitLocker product documentation for more details.

When you apply encryption:

  • Drive encryption takes place in the background.
  • A device does not have to be online at the time you apply encryption. Encryption starts the next time the device is online.
note

Coro supports encryption for:

  • Internal and external drives with suspended encryption.
  • Internal and external drives encrypted using BitLocker’s used space option.

To activate and manage drive encryption, use the Coro console. The method you use depends on your Endpoint Security device posture configuration.

Where you have configured an Unencrypted Endpoint Drive device policy for your Windows endpoint devices, Coro creates Unencrypted endpoint drive tickets in the Ticket Log each time such a drive is identified. See Encrypting drives from the Ticket Log.

Alternatively, use the Devices list to browse all devices, then select the Unencrypted Endpoint Drive vulnerability to see all affected drives. See Encrypting drives from the Devices list.

Prerequisites

Prerequisites apply to both methods:

  • The Coro Agent must be running on the endpoint device.
  • The Coro Endpoint Security module must be active.
  • BitLocker must be installed on the device.
  • The endpoint device must have a Trusted Platform Module (TPM) installed.
  • The system drive of the device must be first in the boot sequence.
  • You must have admin user access to your Coro workspace.

Encrypting drives from the Ticket Log

  1. Sign in to the Coro console.
  2. Select Ticket Log from the toolbar:

    Accessing the ticket log

    The Ticket Log is displayed:

    Ticket Log

  3. In the Type dropdown, select Unencrypted Endpoint Drive from the Endpoint Security section to show only those tickets indicating unencrypted drives:

    ticket filter

  4. From the left pane, select the ticket referencing the drive you want to encrypt. Then, from the right pane, select ACTIONS > Encrypt drive :

    drive details

    A confirmation message appears:

    confirm

  5. (Optional) Select Close this and related tickets to automatically close this and all related open tickets.
  6. Select YES .

    After encryption is triggered a confirmation message appears:

    confirm

    The corresponding ticket's Activity Log is updated:

    log update

Encrypting drives from the Devices list

Encryption may also be accessed via the Devices page. To access the devices list:

  1. Sign in to the Coro console.
  2. Select Devices from the toolbar:

    Devices list

    The Devices page appears:

    Devices list

  3. In the Vulnerability dropdown, select Unencrypted Endpoint Drive :

    Devices list add vulnerability

  4. From the left pane, select the device containing the drive you want to encrypt. Then, from the right pane, locate the affected drive from the Drives section and select ENCRYPT :

    drive details

  5. Follow the confirmation prompt to activate encryption.

    After encryption is complete, expand the Drives section to view the recovery key:

    Recovery key

    Important

    When a device user decrypts a drive, Coro removes the recovery key from the expanded Drives section.

note

If you are satisfied that unencrypted drives in this device are low risk and do not require encryption, select ACTIONS > Allow no encryption to stop further warnings.

TPM requirement for device encryption

Coro's remote drive encryption relies on a Trusted Platform Module (TPM) being enabled on the endpoint device. Without a TPM, Coro does not support BitLocker drive encryption.

If your device does not have TPM enabled, the following message appears in the Coro Activity Log:

Activity Log message

To check your device's TPM status, perform the following steps on the target device:

  • Windows 10 and 11:
    • Go to Start > Settings > Update & Security > Windows Security > Device Security .
  • Windows 8 and 8.1:
    • Go to Start > Control Panel , then search for Windows Defender . Locate Device Security .
    • Depending on your Windows version, you might need to search for Security to locate TPM information.
  • Windows 7:
    • Go to Start > Control Panel .
    • Depending on whether you are using Windows Defender or third-party security software, go to System and Security , or alternatively, Action Center .

If your device has a TPM, select Security processor details for more information. If there is no information, your TPM may have been disabled. Coro recommends that you contact your computer's manufacturer for guidance on re-enabling it.

If your TPM is enabled and functioning:

  1. Go to the Security processor details page.
  2. Select Security processor troubleshooting and then select Clear TPM .
  3. Restart your device and try the encryption process again.

Alternatively, to check if your device has a TPM module, enter tpm.msc in the Windows search box or command prompt. From the list of search results, locate and open the "tpm.msc" application. If the device has a TPM, the TPM Management on Local Computer dialog shows The TPM is ready for use, as follows:

TPM management

Common issues with drive encryption

attention

The information provided in this section is adapted from the Microsoft BitLocker FAQ.

This section provides information for various issues that might be encountered when activating encryption for a device drive.

The integrity check on the operating system drive fails

Certain system changes can prevent the Trusted Platform Module (TPM) from releasing the BitLocker key to decrypt the system drive, leading to an integrity check failure. For example:

  • Moving the encrypted drive to a new device.
  • Installing a new motherboard.
  • Changing security or encryption settings.
  • Changing any boot components or boot configuration data.
  • Turning off, disabling, or clearing the TPM.

Recovery mode is triggered when starting the operating system drive

Due to the way BitLocker protects computers from attack, under certain circumstances your system might be started in recovery mode. For example:

  • Changing the BIOS boot order to boot from another drive before the system drive.
  • Adding or removing hardware.
  • Removing, inserting, or completely depleting the smart battery charge on a portable device.

Installing system updates and upgrades

Some software and system updates require encryption to be suspended. For example:

  • Some firmware updates.
  • Application updates that modify the UEFI/BIOS configuration.
  • Manual updates to secure boot databases.
  • Updates to UEFI/BIOS firmware, drivers, or applications.

A recovery key is repeatedly requested

When a drive is connected to a device and that drive is detected in the boot list, the device requests a recovery key. When this happens without a drive being connected, it is because boot support for Preboot for TBT and USB-C/TBT is turned on by default. Turn this off in BIOS to avoid being prompted for the recovery key.

This issue might also be seen:

  • When connecting a device to a docking station.
  • By having a Trusted Platform Module (TPM) version earlier than TPM 2.0. In this scenario, upgrade the TPM to the latest version.