How to create BitLocker policies to secure enterprise data?

Data encryption must be highly prioritized in an enterprise network. For businesses with vast number of machines, it will be difficult to manually enable BitLocker. This is where the BitLocker module in Endpoint Central serves as a solution to manage and secure your drives.

Create policies for BitLocker drive encryption for machines within your network to secure your data. The BitLocker module in Endpoint Central enables you to build flexible policies to encrypt your drives according to your machine's requirement.

How to create an encryption policy in the BitLocker module?

  • Navigate to the BitLocker module on the Endpoint Central console -> Policy Creation -> Create Policy
  • Provide a name for your policy and if needed, add a description.
  • Toggle the option Drive Encryption

BitLocker Encryption Snapshot

when this setting is enabled, the drives will be encrypted

Once the setting is enabled, the BitLocker policies allow you to access and choose encryption settings for machines within your network.

Protect your machines with Authentication.

The BitLocker policies help you to secure your machines with authentication. The authentication type varies for machines with TPM and for machines without TPM.

Authentication Type for machines with TPM

Authentication for machines with TPM can be enabled by choosing any of the three options provided as shown in the image.

TPM authentication

  • TPM only : The drives will be unlocked with TPM authentication, no user input is required to unlock the drives.
  • TPM and PIN: In this case, TPM authentication is followed by PIN authentication. PIN authentication can contain only digits and the maximum length is defined to be 6-20 characters (digits). The PIN must be provided upon boot.
  • TPM and Enhanced PIN: In this case, TPM authentication is followed by Enhanced PIN authentication. Enhanced PIN authentication can be a combination of alphanumeric and special characters. The maximum length is defined as 6-20 characters and must be provided upon boot.

Authentication type for machines without TPM

Bitlocker-howto3

Authentication for machines without TPM can only be enabled with the passphrase option. This will prompt the user to enter a passphrase every time the computer is started.

Encryption of your drives can be optimized with the encryption settings provided by the BitLocker policies. You are provided with three encryption policies where you can apply policies by combining them if required.

  • Complete encryption of drives.
  • Encryption of OS drives.
  • Encryption of used space in your drives.

Complete Encryption of drives.

Complete Encryption

For full space encryption, enable only the Drive Encryption setting.

  • Ensure that these options are disabled: Encrypt OS drive only and Encrypt used space only.
  • By default, by enabling only the Drive Encryption option, all drives and spaces will be fully encrypted.

Encrypt OS drives only

To encrypt only the OS drive, enable the option Encrypt OS drive only in the Encryption Settings section.

OS drive Encryption

This will ensure that all volumes in the OS drive are encrypted and that all other data drives will be or remain decrypted.

Encrypt used space only

To encrypt only the used space, enable the option Encrypt used space only in the encryption settings section.

Used Space Encryption

This ensures encryption of only the used space in your drives while the free space available on your drives will be or remain decrypted.

BitLocker gives you additional settings on how to encrypt your machines with different encryption methods. There is a specific set of encryption methods that are available for machines with Windows 10 & above and for machines with Windows 8.1 & below. The default method would be either the method previously configured using GPO or the encryption method already associated with your system OS

Encryption Method for machines with Windows 10 and above

bitlocker-howto7

The encryption methods available in this drop down are applicable.

Encryption Method for machines with Windows 8.1 and below

bitlocker-howto8

The encryption methods available in this drop down are applicable.

Advanced settings

The BitLocker policies contain advanced settings where you can postpone restart, configure recovery key update and rotation period.

Advanced Settings

  • Allow users to postpone restart: For successful BitLocker encryption, your machines have to be restarted. You can allow the user to postpone the restart for a certain number of days. Once this specified duration expires, the computer will be automatically restarted and the encryption process will begin. Note: In the latest versions of Windows, restart is not required wherein the encryption process automatically begins.
  • Update recovery key to domain controller: Once a new recovery key is generated, you can update it to the domain controller by toggling the option Update recovery key to domain controller. This ensures that a consolidated list of latest recovery keys will be maintained in the Active Directory. If the option is disabled, the list of recovery keys will only be available in the product server.
  • Allow periodic rotation of recovery key: On toggling this option, Specify rotation period for changing recovery key opens. As an added safety precaution, specify a rotation period after which the old recovery keys will be replaced with new ones. After the specified number of days, the new recovery keys will be updated automatically.

Once the above mentioned settings have been configured according to your requirements, you can save as a draft or save and publish directly.

Once a policy has been created and saved. It will be available in the policy list in the Policy Creation view.

You have successfully created an encryption policy.

The BitLocker add-on also enables you to decrypt the drives based on your requirement.

How to decrypt the drives in the BitLocker module?

  • Navigate to the BitLocker module on the Endpoint Central console -> Policy Creation -> Create Policy
  • Provide a name for your policy and if needed, add a description.
  • Do not switch on the Drive Encryption option for decryption of your drives.

When the setting is disabled, all the drives will be decrypted.

You can now save and publish directly.

Once a policy has been created and saved. It will be available in the policy list in the Policy Creation view.

You have successfully created a decryption policy.