How to create BitLocker policies to secure enterprise data?

Data encryption must be highly prioritized in an enterprise network. For businesses with vast number of machines, it will be difficult to manually enable BitLocker. This is where the BitLocker module in Endpoint Central serves as a solution to manage and secure your drives.

Create policies for BitLocker drive encryption for machines within your network to secure your data. The BitLocker module in Endpoint Central enables you to build flexible policies to encrypt your drives according to your machine's requirement.

How to create an encryption policy in the BitLocker module?

NOTE - Adhere to BitLocker encryption pre-requisites before deploying an encryption policy.

• Navigate to the BitLocker module on the Endpoint Central console -> Policy Creation -> Create Policy
• Provide a name for your policy and if needed, add a description.
• Toggle the option Drive Encryption

when this setting is enabled, the drives will be encrypted

Once the setting is enabled, the BitLocker policies allow you to access and choose encryption settings for machines within your network.

Protect your machines with Authentication.

The BitLocker policies help you to secure your machines with authentication. The authentication type varies for machines with TPM and for machines without TPM.

Authentication Type for machines with TPM

Authentication for machines with TPM can be enabled by choosing any of the three options provided as shown in the image.

• TPM only : The drives will be unlocked with TPM authentication, no user input is required to unlock the drives.
• TPM and PIN: In this case, TPM authentication is followed by PIN authentication. PIN authentication can contain only digits and the maximum length is defined to be 6-20 characters (digits). The PIN must be provided upon boot.
• TPM and Enhanced PIN: In this case, TPM authentication is followed by Enhanced PIN authentication. Enhanced PIN authentication can be a combination of alphanumeric and special characters. The maximum length is defined as 6-20 characters and must be provided upon boot.

Authentication type for machines without TPM

Authentication for machines without TPM can only be enabled with the passphrase option. This will prompt the user to enter a passphrase every time the computer is started.

Encryption of your drives can be optimized with the encryption settings provided by the BitLocker policies. You are provided with three encryption policies where you can apply policies by combining them if required.

• Complete encryption of drives.
• Encryption of OS drives.
• Encryption of used space in your drives.

Password protection based on authentication

For further protection, the policy can be configured to enforce password prompt based on the authentication settings. Selecting TPM and PIN/Enhanced PIN and Passphrase options creates a password-based configuration. Based on the requirement, the password request can be enforced immediately or postponed for a specific number of days. By checking on the option Enforce password request after the specified days, the user will be mandated to input the password to continue further with encryption.

Complete Encryption of drives.

For full space encryption, enable only the Drive Encryption setting.

• Ensure that these options are disabled: Encrypt OS drive only and Encrypt used space only.
• By default, by enabling only the Drive Encryption option, all drives and spaces will be fully encrypted.

Encrypt OS drives only

To encrypt only the OS drive, enable the option Encrypt OS drive only in the Encryption Settings section.

This will ensure that all volumes in the OS drive are encrypted and that all other data drives will be or remain decrypted.

Encrypt used space only

To encrypt only the used space, enable the option Encrypt used space only in the encryption settings section.

This ensures encryption of only the used space in your drives while the free space available on your drives will be or remain decrypted.

BitLocker gives you additional settings on how to encrypt your machines with different encryption methods. There is a specific set of encryption methods that are available for machines with Windows 10 & above and for machines with Windows 8.1 & below. The default method would be either the method previously configured using GPO or the encryption method already associated with your system OS

Encryption Method for machines with Windows 10 and above

The encryption methods available in this drop down are applicable.

Encryption Method for machines with Windows 8.1 and below

The encryption methods available in this drop down are applicable.

Password settings

 

• Allow users to skip password request: The 'Allow users to skip password request' option allows admins to set a specific timeframe during which users can skip the password prompt by simply clicking on "cancel"

  Once this period expires, the "Cancel" button is disabled, requiring the creation of a BitLocker password. This ensures that all systems remain encrypted and compliant.

  

• Enforce immediately: The "Enforce Immediately" option in BitLocker Management requires users to set a password immediately and does not allow users to cancel or close the "Create Password" window until it's completed.

Note: However, if the authentication type for devices with TPM is set to "TPM only" and the authentication type for devices without TPM is set to "Protection off," the password setting option will not be visible. This is because there is no authentication configured, and as a result, the password requirement is not applicable in this scenario.

Advanced settings

The BitLocker policies contain advanced settings where you can configure recovery key update and rotation period.

• Update recovery key to domain controller: Once a new recovery key is generated, you can update it to the domain controller by toggling the option Update recovery key to domain controller. This ensures that a consolidated list of latest recovery keys will be maintained in the Active Directory. If the option is disabled, the list of recovery keys will only be available in the product server.
• Allow periodic rotation of recovery key: On toggling this option, Specify rotation period for changing recovery key opens. As an added safety precaution, specify a rotation period after which the old recovery keys will be replaced with new ones. After the specified number of days, the new recovery keys will be updated automatically.

Once the above mentioned settings have been configured according to your requirements, you can save as a draft or save and publish directly.

Once a policy has been created and saved. It will be available in the policy list in the Policy Creation view.

You have successfully created an encryption policy.

The BitLocker also enables you to decrypt the drives based on your requirement.

How to decrypt the drives in the BitLocker module?

• Navigate to the BitLocker module on the Endpoint Central console -> Policy Creation -> Create Policy
• Provide a name for your policy and if needed, add a description.
• Do not switch on the Drive Encryption option for decryption of your drives.

When the setting is disabled, all the drives will be decrypted.

You can now save and publish directly.

Once a policy has been created and saved. It will be available in the policy list in the Policy Creation view.

You have successfully created a decryption policy.

Download a 30-day free trial and try it out for yourself!

Related documents

1. BitLocker Management
2. BitLocker overview
3. BitLocker Encryption Pre-requisites
4. Complete feature list
5. How to find BitLocker recovery keys
6. How to automate BitLocker deployment for encryption
7. Frequently asked questions

For more information on the new Endpoint Security suite products including BitLocker Management, refer here.