Creation of Bitlocker Policy

Data encryption is paramount for enterprise network security. Efficiently managing BitLocker encryption across numerous devices is challenging, but Endpoint Central's BitLocker module provides a streamlined solution for securing your drives.

Endpoint Central's BitLocker Management module empowers you to create tailored encryption policies safeguarding your network devices. By selecting from encryption options like full drive, OS drive, or used space, you can optimize data protection based on individual device requirements. The module supports devices with and without TPM for authentication. Additionally, it offers granular control over encryption algorithms, with specific options available for Windows 10 and later, or Windows 8.1 and earlier systems. This document guides you through creating and configuring these encryption settings.

Perform Encryption or Decryption

Using the Bitlocker policies, you can implement encryption or decryption processes for the endpoints.

NOTE - Adhere to BitLocker encryption pre-requisites before deploying an encryption policy.

1. Navigate to the BitLocker module on the Endpoint Central console -> Policy Creation -> Create Policy
2. Provide a name for your policy and, if needed, add a description
3. Toggle the option Drive Encryption. Enabling the Drive Encryption toggle will implement drive encryption, and disabling it will implement the decryption process when the policy is deployed

Encryption Settings

BitLocker policies safeguard your devices through robust authentication, which varies based on whether the machine has a Trusted Platform Module (TPM) or not. You can optimize drive encryption by combining different algorithms: full drive encryption, OS drive encryption, or used space encryption. For added flexibility, encryption options are tailored for Windows 10 and later, as well as Windows 8.1 and earlier systems.

Authentication Type for machines with TPM

Authentication for machines with TPM can be enabled by choosing any of the three options provided as shown in the image.

• TPM only: The drives will be unlocked with TPM authentication, no user input is required to unlock the drives.
• TPM and PIN: In this case, TPM authentication is followed by PIN authentication. PIN authentication can contain only digits, and the maximum length is defined to be 6-20 characters (digits). The PIN must be provided upon boot.
• TPM and Enhanced PIN: In this case, TPM authentication is followed by Enhanced PIN authentication. Enhanced PIN authentication can be a combination of alphanumeric and special characters. The maximum length is defined as 6-20 characters and must be provided upon boot.

Authentication type for machines without TPM

Authentication for machines without TPM can only be enabled with the passphrase option. This will prompt the user to enter a passphrase upon boot.

Encryption of your drives can be optimized with the encryption settings provided by the BitLocker policies. You are provided with three encryption algorithms as mentioned below, where you can apply policies by combining them if required:

• Complete encryption of drives
• Encryption of OS drives
• Encryption of used space in your drives

Complete Encryption of drives

For full space encryption, enable only the Drive Encryption setting. Kindly ensure that these other options are disabled: Encrypt OS drive only and Encrypt used space only.

By default, by enabling only the Drive Encryption option, all drives and spaces will be fully encrypted.

Encryption of OS drives

To encrypt only the OS drive, enable the option Encrypt OS drive only in the Encryption Settings. This will ensure that the OS drive is encrypted and that all other data drives will be or remain decrypted.

Encryption of used space in drives

To encrypt only the used space, enable the option Encrypt used space only in the encryption settings. This ensures encryption of only the used space in your drives while the free space available on your drives will be or remain decrypted.

Encryption Algorithms

BitLocker gives you additional settings on how to encrypt your machines with different encryption algorithms. There is a specific set of encryption algorithms that are available for machines with Windows 10 & above and for machines with Windows 8.1 & below. The default method would be either the method previously configured using GPO or the encryption method already associated with your system OS.

Encryption Algorithms for machines with Windows 10 and above

The encryption algorithms for machines with Windows 10 and above are AES_128, AES_256, XTS_AES_128, and XTS_AES_256. To optimize performance, use Microsoft's default encryption. While stronger encryption options exist for compliance needs, be aware that they can slow down your computer.

Encryption Method for machines with Windows 8.1 and below

The encryption algorithms for machines with Windows 8.1 and below are AES_128, and AES_256. To optimize performance, use Microsoft's default encryption. While stronger encryption options exist for compliance needs, be aware that they can slow down your computer.

Password settings

• Allow users to skip password request: The Allow users to skip password request option allows admins to set a specific timeframe during which users can skip the password prompt by simply clicking on "Cancel"
  

  

  Once this period expires, the "Cancel" button is disabled, requiring the creation of a BitLocker password. This ensures that all systems remain encrypted and compliant.

  

• Enforce immediately: The Enforce Immediately option requires users to set a password immediately and does not allow users to cancel or close the "Create Password" window until it's completed.

Note: However, if the authentication type for devices with TPM is set to "TPM only" and the authentication type for devices without TPM is set to "Protection off," the password setting option will not be visible. This is because there is no authentication configured, and as a result, the password requirement is not applicable in this scenario.

Advanced Settings

The BitLocker policies also contain advanced settings where you can postpone encryption, configure recovery key update, and the rotation period.

• Update recovery key to domain controller: Once a new recovery key is generated, you can update it to the domain controller by toggling the option Update recovery key to domain controller. This ensures that a consolidated list of the latest recovery keys will be maintained in the Active Directory. If the option is disabled, the list of recovery keys will only be available in the product server.
• Allow periodic rotation of the recovery key: On toggling this option, Specify the rotation period for changing the recovery key opens. As an added safety precaution, specify a rotation period after which the old recovery keys will be replaced with new ones. After the specified number of days, the new recovery keys will be updated automatically.

Once the above mentioned settings have been configured according to your requirements, you can save as a draft or save and publish directly. The policy created can be viewed in the policy list in the Policy Creation tab.

If you have any further questions, please refer to our Frequently Asked Questions section for more information.