Enabling BitLocker

Using BitLocker allows Ivanti EPMM administrators to encrypt data on Windows 10 Desktop devices and prevent the ability to copy data from a removable drive (such as a USB stick) to a fixed device and vice versa. Administrator create rules to enable BitLocker on Windows 10 Desktop devices to:

  • Encrypt devices

  • Enable USB sticks

  • Enable removable drives

  • Recover stored AD password

  • Recover a password from either AD or Ivanti EPMM

Before you begin 

Enable Bridge. See Setting up Bridge for details.

Procedure 

  1. Log into the Admin Portal.

  2. Go to Policies & Configs > Policies.

  3. Select the Default Security Policy link and then select Edit in the Policy Details panel.

  4. In the Data Encryption section, select On for Data Encryption to enforce the device password option.

  5. In the For Windows 10 Desktop section, select Bit Locker On to enable it.

  6. Make your configuration settings, referring to the Enable BitLocker fields table for details.

  7. Select Save.

The encryption process begins after restarting the device. Depending on the size of the drive, the device can take anywhere from 45 minutes or longer to finish encrypting the device. This is a background process and does not interfere with the users. When a device is not encrypted it is shown out of compliance with Ivanti EPMM until the encryption process is finished.

Bit Locker data encryption

The following table summarizes fields and descriptions for enabling Bit Locker:

Table 77.  Enable BitLocker fields

Fields

Description

Bit Locker

The options are On and Off. Bit Locker is applied only for Windows 10 desktop devices and only when Bridge is enabled.

Read Only for unencrypted removable drives

Select to encrypt removable drives (such as USB sticks) so the data is read only and cannot be moved to another device.

Read Only for unencrypted fixed drives

Select to encrypt fixed drives so the data is read only and cannot be moved to another device.

Encryption Type

The options are 128 bit and 256 bit.

Drive to encrypt

Select the OS drive you want to encrypt.

Recovery Options

You can recover a password and store it in Active Directory (AD), recover a password and store in both AD and Ivanti EPMM, or disable password recovery.

TPM Options

TPM is Trusted Platform Module (used for encryption) and when configured requires the use of a password. The following options are for the users to set up startup passwords:

A) If a user chooses the TPM option, then no additional startup password or startup PIN is required. Only the default Windows password is required.

B) If a user chooses TPM + PIN option, then, in addition to the Windows password, the user is required to enter a startup PIN. This startup pin is required to be entered before the device boots up and loads windows.

C) If a user chooses NO TPM, then in addition to the Windows password, the user is required to enter a startup password. This startup password is required to be entered before the device boots up and loads windows.

The startup PIN and password in B) and C) are in addition to the Windows password which is required in all 3 cases.

Restart Interval

Use this option to determine what the interval is after this security policy is applied before the device restarts.

Restart Message

Enter a message you want the user to see before the device restarts. If you do not enter a custom message, Ivanti EPMM sends a default message.