| Solution | Disk encryption is a feature introduced in Collector 6.1 or later that allows FortiEDR to enforce full-disk encryption at the endpoint level. FortiEDR integrates with Windows native BitLocker and macOS FileVault to enforce full-disk encryption. It does not introduce a separate encryption mechanism but instead leverages the operating system’s built-in security features. Difference between Disk Encryption status and 'IsBitlockerEnabled' under Device Security: - The 'Disk encryption' column represents FortiEDR's disk encryption policy. By default, it is disabled.
- When a Disk encryption policy for a collector is enabled, it is enforced on the endpoints using BitLocker (TPM required) and on macOS using FileVault
- The 'Device Security' drop-down menu shows the endpoint's true state. If Windows shows 'IsBitlockerEnabled' as enabled, BitLocker is enabled locally, but not 'managed' by FortiEDR
- If 'IsBitlockerEnabled' is disabled, it’s disabled locally.
 How Disk Encryption works in FortiEDR: - FortiEDR leverages the operating system's native encryption - BitLocker on Windows and FileVault on macOS - to enforce full-disk encryption. Once a Disk Encryption policy is applied from FortiEDR, the endpoint initiates encryption after a system reboot due to OS limitations.
- The FortiEDR console tracks the encryption status, showing 'Encryption in Progress' during the process and 'Enabled' once complete. Another reboot is required to fully reflect the Device Security status.
Note: If Disk Encryption is enforced via FortiEDR, do not manually enable or disable BitLocker/FileVault on the system. Time required for Disk Encryption to complete: - The time required depends on disk size, hardware, and the encryption method. It can range from about an hour to several hours. Encryption runs in the background, so the system remains usable and continues to be protected by FortiEDR during the process.
- For example, using XTS-AES 128-bit encryption on a 120 GB HDD typically takes 20–25 minutes to complete.
Requirements for Disk Encryption on Windows and macOS: - Disk Encryption requires Windows 7 or later with BitLocker and TPM enabled, and macOS endpoints with FileVault.
BitLocker key storage during FortiEDR Disk Encryption: - When FortiEDR enforces BitLocker, the encryption key is securely stored in the device’s TPM (Trusted Platform Module). FortiEDR does not store the key itself.
Step-by-step: How FortiEDR enforces disk encryption with BitLocker on Windows. When BitLocker is turned off on a machine locally, the following can be observed: - Volume Status: FullyDecrypted.
- Protection Status: Off.
To check the BitLocker encryption status on a Windows device, use the PowerShell command 'Get-BitLockerVolume' or go to Control Panel -> System and Security -> BitLocker Drive Encryption to view it via the GUI.  Enable Disk Encryption Policy on FortiEDR. - Apply Disk Encryption Policy: Once a policy is created and assigned, FortiEDR enforces Disk Encryption with BitLocker on Windows.
For more information on how to configure disk encryption policy on FortiEDR, refer to Disk Encryption. - Reboot the Device: Reboot is mandatory. Once the device reboots, BitLocker begins encrypting the drive automatically.
Monitoring encryption progress: - To track encryption progress on Windows, use the PowerShell command: 'Get-BitLockerVolume'.
- During encryption, the Encryption Percentage column will show the current progress.
- On the FortiEDR console, the device status will change to Encryption in Progress.
 - Once the encryption reaches 100%, the following updates occur:
- PowerShell Output / BitLocker Status: Shows FullyEncrypted.
 
- FortiEDR Status: The disk encryption column will now show Enabled.
- Device Security – IsBitLockerEnabled: A device reboot may be required. After the reboot, this state should appear as Enabled and Compliant.
 |
