BigFix - Setting Up a BigFix Vault Server

I just put together a step-by-step guide on how to set up a BigFix Vault Server — a secure way to store your encryption keys for both Windows and macOS environments.

By leveraging Vault, you can:

✅ Protect sensitive encryption keys from exposure

✅ Improve compliance and security posture

✅ Streamline key management across platforms

Whether you’re running a small IT team or managing thousands of endpoints, secure key storage is critical to maintaining data security.

As always refer to the official documentation and use this guide as a reference. https://help.hcl-software.com/bigfix/11.0/mcm/MCM/Config/set_up_vault.html

You will need BigFix MCM setup and working as a prerequisite.

1.    Open your console and find the Task Install Vault Server and select the Description Tab Create two accounts the recovery write user and the read user and create passwords Type of the name of the server you will be targeting to store the vault server

2.      Select the Take action button and target the machine you typed in the user facing host name field

3.      Open BigFix Webui and select Apps – MCM

4.      Select the Admin tab

5.      Select Recovery Key Escrow - Setup Recovery Key Escrow Plugin Type in the Vault URL – https://SERVERNAME:8200 Type in the write user name you created earlier and the Password Select the Deploy Button

6.      Go to Apps – MCM

7.      Select the Policies Tab and Create Policy

8.      Select Disk Encryption

9.      First we will create a Windows Bitlocker policy Name your Policy Select Windows for Operating System Select the Site you Want to store the policy in Select Save

10.  Next do the Same for Mac and create a Mac Policy Name your Policy Select Mac for the Operating System Assign the Policy to a Site Create a message for the recovery key escrow location Select Save

11.  Select the Windows Encryption Policy you created Earlier and Select Deploy Policy

12.  Select the Devices you want to Deploy to Check the Show Notification Message and type a custom message to alert you are encrypting their device Select the Deploy button

13.  Select Apps-MCM

14.  Select the Policies Tab select the Mac – Encryption Policy and Deploy Policy select the Deploy Button

15.  Target the Devices you want to Encrypt Select the Deploy Button

16.  Launch the URL https://YOURVAULTSERVERNAME:8200 Type in the name of the read account you created earlier and the password

17.  Select bigfix

18.  Select the Device you want to recover the key for

19.  Select the Eye under the recovery key and gather the key for recovery

Escrow Keys of devices that were already Encrypted

1.      Go to Apps – MCM

2.      Select Actions – Regenerate Encryption Recovery Key

3.       Select the Device or Group of Devices you want to Target and Select Send Command