Argos
Back to blog

Published on 7/10/2026

The unencrypted disk that will cost you: BitLocker encryption across your fleet

BitLocker encryption can silently turn itself off on a Windows machine — after a BIOS update, a hardware swap, or a fresh install — and Windows won't warn anyone. The only way to know if a disk in your fleet is actually encrypted right now is to check status across every machine continuously, not to remember flipping a switch once. The rest of this article covers how to close that visibility gap without walking machine to machine.

The call comes in on a Monday at 8:40. "My backpack got stolen in the taxi. The laptop was in it." And at that moment the important question isn't what the machine cost — replacing it covers that. The question is a different one: was that disk encrypted?

If the answer is yes, you lost hardware. If the answer is no — or worse, "I don't know" — you lost control of everything inside it: the customer database someone exported to Excel, the credentials saved in the browser, the contracts sitting in Downloads, the email session still signed in.

An unencrypted disk isn't stolen — it's read

There's a comfortable myth that the Windows password protects what's on the machine. It doesn't. Whoever holds the laptop doesn't need to guess any password: pull the disk, plug it into another computer as an external drive, and read every file like it's a USB stick. Ten minutes, a screwdriver, zero advanced skills.

Full-disk encryption is the only thing that turns that scenario into a non-event: without the key, the disk is unreadable noise. And on Windows that protection has a name and you've already paid for it: BitLocker, included in Windows Pro and Enterprise. There's no extra license to buy and no software to evaluate.

Beyond the direct damage, there are second-order consequences: data protection laws across the Americas — LGPD in Brazil, Mexico's LFPDPPP, Colombia's Law 1581, and their equivalents — treat a lost device with readable personal data as an incident that can trigger notification duties and penalties. An encrypted disk changes that conversation entirely: the data was never exposed.

What BitLocker encryption actually does, no jargon

BitLocker is Windows' built-in full-disk encryption: it encrypts every sector with AES, and when the machine has a TPM (Trusted Platform Module) chip, it stores the key there so only that specific hardware can unlock the disk at boot. It ships with Windows Pro, Enterprise, and Education — not Home, which only gets the more limited "Device Encryption," or requires an edition upgrade to unlock full BitLocker. Turning it on generates a 48-digit recovery key that has to be backed up somewhere separate from the machine — a Microsoft account, Azure AD, or a centralized vault — because without it a forgotten password or a hardware change can lock out even the legitimate owner. Once configured, it's invisible day to day: no extra login screens, nothing for the user to remember.

The real problem isn't enabling BitLocker — it's knowing, every day

Turning on BitLocker on one machine takes minutes. The real problem shows up with scale and with time:

  • New machines onboarded in a hurry that nobody encrypted.
  • Windows reinstalls after a failure, where encryption never got turned back on.
  • Protection suspended for a BIOS update or a hardware change... and left suspended forever.
  • The sales rep's laptop that almost never sets foot in the office and nobody has checked since the day it was handed over.
  • Home editions that slipped in through a rushed purchase and don't ship with BitLocker at all.

Your fleet's encryption status isn't a snapshot — it's a film that degrades on its own. The question that matters isn't "did we enable BitLocker back in 2024?" but "how many disks in my fleet are unencrypted today, right now?" If answering it means walking machine to machine, the practical answer is "I don't know."

And drift is silent by design: a machine with BitLocker suspended boots normally, works normally, and complains about nothing. The user won't report it because nothing looks broken. Without something checking on your behalf, the first person to notice is whoever ends up holding the disk.

What changes between an encrypted disk and an unencrypted one

| Scenario | Unencrypted disk | BitLocker active | |----------|------------------|------------------| | Laptop stolen on the street | Every file readable in minutes | Disk unreadable without the key | | Machine decommissioned or resold | Data recoverable even after "deleting" | Contents inaccessible | | Disk pulled and plugged into another PC | Full access to everything | Encrypted noise | | Data protection law obligations | Possible breach notification and penalties | Data protected: a defensible position | | The conversation with your client | "Your data may be exposed" | "We lost a device; your data, no" |

That last row is the difference between losing an asset and losing a client.

See encryption status for the whole fleet on one screen

This is where an RMM stops being a support tool and becomes your security layer. The Argos agent continuously reports each machine's security posture — antivirus, firewall, and BitLocker status, the same block you can explore in full under security features — into a single console:

  • Full fleet view: how many machines have their disk encrypted, which ones don't, and which ones changed state — without touching a single PC.
  • Alerts when something changes: if BitLocker shows up disabled or suspended on a machine, you get notified through the channel you choose — Telegram, webhook, or email — using security rules you configure. You find out the same day, not the day of the theft.
  • History and context: the posture change is recorded on the machine's timeline, next to its activity and overall health.
  • Immediate action: you spot an unencrypted machine and the person responsible is three branches away. With built-in remote control you're inside that machine in seconds and fix it on the spot — no site visit to schedule.

The logic is the same one we apply to all fleet security: the standard isn't "we configured it once," it's continuous verification with evidence.

Start with the number you don't know

Here's an uncomfortable but healthy exercise: ask yourself how many machines your fleet has, and how many of them you could swear — today, with evidence — have an encrypted disk. If there's a gap between those two numbers, that gap is your real exposure, and no antivirus covers it.

The good news: closing that gap doesn't require buying encryption. It requires visibility to find the unprotected disks, and consistency so they never creep back. That's exactly what a fleet console does for you, every single day.

Frequently asked questions about BitLocker encryption

Does every version of Windows include BitLocker encryption? No. It ships with Windows Pro, Enterprise, and Education. Windows Home doesn't include it — it gets a more basic "Device Encryption" that requires a Microsoft account and compatible hardware, or you need to upgrade the edition to unlock full BitLocker with all its management options.

Does BitLocker encryption slow down a PC? On anything built in the last several years, the impact is essentially unnoticeable — modern processors accelerate AES encryption in hardware. The real cost isn't performance, it's management: without centralized visibility, it's easy for BitLocker to end up disabled without anyone noticing.

What happens if you lose the BitLocker recovery key? Without the 48-digit recovery key, a BitLocker-protected disk is unrecoverable — even for its legitimate owner. That's the point of encryption. That's why the key needs to be backed up somewhere separate from the machine (a Microsoft account, Azure AD, or a centralized vault), never just in the memory of whoever turned it on.

How do you check BitLocker status across dozens of machines without visiting each one? Checking each machine by hand doesn't scale past a handful of PCs. An RMM like Argos continuously reports each machine's BitLocker status into a single console, with automatic alerts if encryption gets disabled or suspended — the full fleet view is covered in the security block of Features.

Look at your fleet the way an auditor would: book an Argos demo and we'll show you the security alerts view live — including what a machine with BitLocker off looks like before it becomes a headline.