I've not tried this myself, but I'd hazard a guess that as soon as a device is encrypted, LEM is unable to use it's normal processes to identify what is going on with the drive. Essentially BitLocker is doing what it is supposed to do.
That said, have you tested if LEM can still see if anyone tried to execute something from a BitLocker encrypted USB volume? Does it still protect you? If not, then we may have a situation where corporate security (BitLocker) is unfortunately working against corporate compliance (LEM), and effectively creating a security loophole in the process. Ironic!
1 of 1 people found this helpful
I have tested this for about a week now, and can confirm that once the media is encrypted, LEM can no longer see events on the device short of insertion and removal. Our team has decided that it would be better to leave the drive unencrypted and monitor events on the drive, rather than encrypt the drive and forego the ability to monitor executables and such that could maliciously execute from the drive. We are going to adjust our policies such that it is the user's responsibility to encrypt specific files on the drive that need protected in place of us encrypting the drive for them. It's been an interesting dynamic to say the least. I am probably in the minority when it comes to IT managers who makes cyber security decisions based on the reality of the situation instead of purely on policy. In other words, my team feels it's more important (and OUR responsibility) to ensure the drive is not capable of executing anything malicious, whereas as it's the user's responsibility to ensure that the files that should be encrypted are handled by them.
I appreciate your input, and if you're interested in seeing my rule I'll be glad to post it. It was a bit of a challenge to get working properly.