Secureframe Agent

Search

Secureframe Agent: Hard Drive Encryption Check

Hard Drive Encryption

Here are step-by-step instructions for setting up hard drive encryption on a device.

Windows:

To enable device encryption, please complete the following instructions from Microsoft:

  1. Select Start > Settings > Privacy & security  > Device encryption.
  2. If Device encryption is turned off, turn it On.
  3. If Device encryption doesn't appear, it isn't available for your device.

Mac:

In order to pass this check, FileVault must be enabled.

To enable Filevault (instructions from here):

  1. On your Mac, choose Apple menu  > System Settings, click Privacy & Security in the sidebar, then click FileVault on the right. (You may need to scroll down the right-side list.)
  2. Click Turn On. You might be asked to enter your password.
  3. Choose how to unlock your disk and reset your login password if you forget it:
    1. iCloud account: Click “Allow my iCloud account to unlock my disk” if you already use iCloud. Click “Set up my iCloud account to reset my password” if you don’t already use iCloud.
    2. Recovery key: Click “Create a recovery key and do not use my iCloud account.” Write down the recovery key and keep it in a safe place.
  4. Click Continue.

Linux:

This checks for the following configurations for the hard drive:

  • The drive mounted as root needs to be encrypted. The encryption process will vary based on the flavor of Linux being used.
  • ZFS encryption is not currently supported because of a limitation in osquery.
  • *If your Linux device is not 'checking in' after restarting, please refer to this article.

Frequently Asked Questions (FAQ)

I can’t pass Hard drive encryption for user endpoints (Secureframe Agent) because BitLocker needs Windows Pro or higher. What should I do? 

You have 2 options to resolve a situation like this.

Option 1 — Upgrade affected devices to Windows Pro/Enterprise and enable BitLocker. Once complete, re-run the test after encryption is enabled.
 
Option 2 — Upload additional evidence + ignore agent evidence for the specific user.
  1. Open the test, click the Evidence tab, scroll down to Additional Evidence.
  2. Click Add evidence and upload evidence demonstrating encryption on the system if applicable
  3. In the Evidence list, open the 3 dot menu next to the affected user → Ignore evidence for this test (since you provided manual evidence).
  4. Add a justification comment (sample below) and save.
  5. Re-run the test to update evidence with the failing result ignored for that user.
 
Acceptable evidence to upload:
  • Screenshot showing OS edition (Windows Home/Pro) and encryption status
    • Settings → Privacy & Security → Device encryption (or BitLocker control panel) showing On/Off
  • List of affected endpoints (hostname, user, OS edition)
  • Your policy requiring full-disk encryption
  • Risk acceptance/exception record with a remediation plan & target date
Sample justification text for ignoring evidence
“Endpoint is on Windows Home; BitLocker requires Pro/Enterprise (Microsoft licensing limitation). We are tracking an exception and will upgrade to Windows Pro and enable BitLocker by [date]. In the interim, the device is covered by [compensating control, if any]. Evidence attached.”

 

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.