Creation of Bitlocker Policy

Data encryption is crucial for enterprise network security. Managing BitLocker encryption across multiple devices is challenging, but Endpoint Central's BitLocker module offers a streamlined solution for securing drives.

The BitLocker Management module allows you to create tailored encryption policies for safeguarding network devices. You can choose from full drive, OS drive, or used space encryption to optimize data protection based on individual device requirements. The module supports devices with and without TPM for authentication and offers granular control over encryption algorithms. Specific options are available for Windows 10 and later, as well as Windows 8.1 and earlier systems. This document guides you through creating and configuring these encryption settings.

Perform Encryption or Decryption

You can implement encryption or decryption processes for endpoints using BitLocker policies.

NOTE - Adhere to BitLocker encryption pre-requisites before deploying an encryption policy.

  1. Navigate to the BitLocker module on the Endpoint Central console → Policy Creation → Create Policy
  2. Provide a name for your policy and, if needed, add a description
  3. Toggle the Drive Encryption option. Enabling this will implement drive encryption; disabling will implement decryption when the policy is deployed.

Bitlocker Policy Creation

Encryption Settings

BitLocker policies safeguard devices through robust authentication, varying based on whether the machine has a Trusted Platform Module (TPM). You can optimize drive encryption by combining different algorithms: full drive encryption, OS drive encryption, or used space encryption. For added flexibility, Encryption options are tailored for Windows 10 and later as well as Windows 8.1 and earlier systems.

Authentication Type for machines with TPM

Authentication for machines with TPM can be enabled by choosing any of the three options provided as shown in the image.

Authentication Type for machines with TPM

  • TPM only: Drives unlock with TPM authentication; no user input is required.
  • TPM and PIN: TPM authentication is followed by PIN authentication (PIN can contain only digits, with a maximum length of 6-20 characters) which must be provided upon boot.
  • TPM and Enhanced PIN: TPM authentication is followed by Enhanced PIN authentication (Enhanced PIN must contain 6-20 characters, including alphanumeric and special characters) which must be provided upon boot.

Authentication type for machines without TPM

Authentication type for machines without TPM

For machines without TPM, authentication is enabled only with a passphrase, prompting the user to enter it upon boot.

You can optimize drive encryption with the settings provided by BitLocker policies. You can apply policies by combining the following three encryption algorithms:

  • Complete encryption of drives
  • Encryption of OS drives
  • Encryption of used space in your drives

Complete Encryption of drives

To encrypt all drives and spaces, enable only the Drive Encryption setting. Ensure that Encrypt OS drive only and Encrypt used space only options are disabled.

Drive Encryption

Encryption of OS drives

To encrypt only the OS drive, enable the Encrypt OS drive only option in the Encryption Settings. This ensures only the OS drive is encrypted while all other data drives remain decrypted.

OS Drive Encryption

Encryption of used space in drives

To encrypt only the used space, enable the Encrypt used space only option in the encryption settings. This will encrypt only the used space on your drives, leaving free space decrypted.

Used Space Drive Encryption

Encryption Algorithms

BitLocker offers settings for encrypting machines with different algorithms. Specific set of algorithms are available for Windows 10 and above and for Windows 8.1 and below. The default method is based on the previously configured Group Policy Object (GPO) or the encryption method associated with your system OS.

Encryption Algorithms for machines with Windows 10 and above

Available algorithms include AES_128, AES_256, XTS_AES_128, and XTS_AES_256. For optimal performance, use Microsoft’s default encryption. Stronger options exist for compliance needs, but be aware that they can slow down your computer.

Encryption for Windows 10 and above

Encryption Method for machines with Windows 8.1 and below

Available algorithms include AES_128 and AES_256. For optimal performance, use Microsoft’s default encryption. Stronger options exist for compliance needs, but be aware that they can slow down your computer.

Encryption for Windows 8.1 and below

Password settings

  • Allow users to skip password request: This option allows admins to set a specific timeframe during which users can skip the password prompt by clicking "Cancel."

    bitlocker pass-1

    After this period, the "Cancel" button is disabled, requiring the creation of a BitLocker password to ensure all systems remain encrypted and compliant.

    bitlocker pass-2

  • Enforce immediately: This option requires users to set a password immediately and does not allow them to cancel or close the "Create Password" window until it's completed.

Note: If the authentication type for devices with TPM is set to "TPM only" and the authentication type for devices without TPM is set to "Protection off," the password setting option will not be visible, as there is no authentication configured.

Advanced Settings

BitLocker policies also include advanced settings for postponing encryption, configuring recovery key updates, and setting a rotation period.

Advanced Settings

  • Update recovery key to domain controller: Toggle this option to update a new recovery key to the domain controller, ensuring that a consolidated list of recovery keys is maintained in Active Directory. If disabled, recovery keys will only be available on the product server.
  • Allow periodic rotation of the recovery key: Toggle this option to specify a rotation period for the recovery key. It is recommended to specify a rotation period as an added safety precaution, after which old recovery keys will be replaced with new ones. New recovery keys will automatically replace the old ones after the specified number of days.
    To reset recovery keys that have already been used, modify the deployed BitLocker policy and enable this setting. Specify the rotation period of seven days. This will initiate the automatic generation of new recovery keys every seven days, beginning when the policy modification takes effect.

Once you have configured the settings, you can save as a draft or publish directly. The created policy can be viewed in the policy list under the Policy Creation tab.

If you have any further questions, please refer to our Frequently Asked Questions section for more information.