Enabling BitLocker

Using BitLocker allows Core administrators to encrypt data on Windows 10 Desktop devices and prevent the ability to copy data from a removable drive (such as a USB stick) to a fixed device and vice versa. Administrator create rules to enable BitLocker on Windows 10 Desktop devices to:

•encrypt devices

•enable USB sticks

•enable removable drives

•recover stored AD password

•recover a password from either AD or Core

Before you begin

Enable Bridge. See Setting up Bridge for details.

Procedure

Log into the Admin Portal.

Go to Policies & Configs > Policies.

Click the Default Security Policy link and then click Edit in the Policy Details panel.

In the Data Encryption section, click On for Data Encryption to enforce the device password option.

In the For Windows 10 Desktop section, click Bit Locker On to enable it.

Make your configuration settings, referring to the Enable BitLocker fields table for details.

Click Save.

The encryption process begins after restarting the device. Depending on the size of the drive, the device can take anywhere from 45 minutes or longer to finish encrypting the device. This is a background process and does not interfere with the users. When a device is not encrypted it is shown out of compliance with Core until the encryption process is finished.

Bit Locker data encryption

The following table summarizes fields and descriptions for enabling Bit Locker:

Table 1. Enable BitLocker fields
Fields	Description
Bit Locker	The options are On and Off. Bit Locker is applied only for Windows 10 desktop devices and only when Bridge is enabled.
Read Only for unencrypted removable drives	Click to encrypt removable drives (such as USB sticks) so the data is read only and cannot be moved to another device.
Read Only for unencrypted fixed drives	Click to encrypt fixed drives so the data is read only and cannot be moved to another device.
Encryption Type	The options are 128 bit and 256 bit.
Drive to encrypt	Select the OS drive you want to encrypt.
Recovery Options	You can recover a password and store it in Active Directory (AD), recover a password and store in both AD and Core, or disable password recovery.
TPM Options	TPM is Trusted Platform Module (used for encryption) and when configured requires the use of a password. The following options are for the users to set up startup passwords: A) If a user chooses the TPM option, then no additional startup password or startup PIN is required. Only the default Windows password is required. B) If a user chooses TPM + PIN option, then, in addition to the Windows password, the user is required to enter a startup PIN. This startup pin is required to be entered before the device boots up and loads windows. C) If a user chooses NO TPM, then in addition to the Windows password, the user is required to enter a startup password. This startup password is required to be entered before the device boots up and loads windows. The startup PIN and password in B) and C) are in addition to the Windows password which is required in all 3 cases.
Restart Interval	Use this option to determine what the interval is after this security policy is applied before the device restarts.
Restart Message	Enter a message you want the user to see before the device restarts. If you do not enter a custom message, Core sends a default message.