Data encryption is paramount for enterprise network security. Efficiently managing BitLocker encryption across numerous devices is challenging, but Endpoint Central's BitLocker module provides a streamlined solution for securing your drives.
Endpoint Central's BitLocker Management module empowers you to create tailored encryption policies safeguarding your network devices. By selecting from encryption options like full drive, OS drive, or used space, you can optimize data protection based on individual device requirements. The module supports devices with and without TPM for authentication. Additionally, it offers granular control over encryption algorithms, with specific options available for Windows 10 and later, or Windows 8.1 and earlier systems. This document guides you through creating and configuring these encryption settings.
Using the Bitlocker policies, you can implement encryption or decryption processes for the endpoints.
NOTE - Adhere to BitLocker encryption pre-requisites before deploying an encryption policy.
BitLocker policies safeguard your devices through robust authentication, which varies based on whether the machine has a Trusted Platform Module (TPM) or not. You can optimize drive encryption by combining different algorithms: full drive encryption, OS drive encryption, or used space encryption. For added flexibility, encryption options are tailored for Windows 10 and later, as well as Windows 8.1 and earlier systems.
Authentication for machines with TPM can be enabled by choosing any of the three options provided as shown in the image.
Authentication for machines without TPM can only be enabled with the passphrase option. This will prompt the user to enter a passphrase upon boot.
Encryption of your drives can be optimized with the encryption settings provided by the BitLocker policies. You are provided with three encryption algorithms as mentioned below, where you can apply policies by combining them if required:
For full space encryption, enable only the Drive Encryption setting. Kindly ensure that these other options are disabled: Encrypt OS drive only and Encrypt used space only.
By default, by enabling only the Drive Encryption option, all drives and spaces will be fully encrypted.
To encrypt only the OS drive, enable the option Encrypt OS drive only in the Encryption Settings. This will ensure that the OS drive is encrypted and that all other data drives will be or remain decrypted.
To encrypt only the used space, enable the option Encrypt used space only in the encryption settings. This ensures encryption of only the used space in your drives while the free space available on your drives will be or remain decrypted.
BitLocker gives you additional settings on how to encrypt your machines with different encryption algorithms. There is a specific set of encryption algorithms that are available for machines with Windows 10 & above and for machines with Windows 8.1 & below. The default method would be either the method previously configured using GPO or the encryption method already associated with your system OS.
The encryption algorithms for machines with Windows 10 and above are AES_128, AES_256, XTS_AES_128, and XTS_AES_256. To optimize performance, use Microsoft's default encryption. While stronger encryption options exist for compliance needs, be aware that they can slow down your computer.
The encryption algorithms for machines with Windows 8.1 and below are AES_128, and AES_256. To optimize performance, use Microsoft's default encryption. While stronger encryption options exist for compliance needs, be aware that they can slow down your computer.
Once this period expires, the "Cancel" button is disabled, requiring the creation of a BitLocker password. This ensures that all systems remain encrypted and compliant.
Note: However, if the authentication type for devices with TPM is set to "TPM only" and the authentication type for devices without TPM is set to "Protection off," the password setting option will not be visible. This is because there is no authentication configured, and as a result, the password requirement is not applicable in this scenario.
The BitLocker policies also contain advanced settings where you can postpone encryption, configure recovery key update, and the rotation period.
Once the above mentioned settings have been configured according to your requirements, you can save as a draft or save and publish directly. The policy created can be viewed in the policy list in the Policy Creation tab.
If you have any further questions, please refer to our Frequently Asked Questions section for more information.