BitLocker Encryption Configuration

License: Bridge

Applicable to: Windows Desktop

This section contains the following topics:

Setting up BitLocker Encryption

BitLocker Encryption is a feature that enforces encryption on hard drives and removable drives of the devices for data protection. It is a prerequisite to have a Bridge setup to manage BitLocker encryption. See Bridge for more details. BitLocker Encryption Configuration helps you in configuring encryption settings to device(s).

Procedure

  1. In the Configuration tab, click +Add.

  2. Select BitLocker Encryption configuration. The BitLocker Encryption page is displayed.

  3. In the Name field, type an appropriate name for the BitLocker encryption.

  4. Click the +Add Description link to add a description for the configuration. This field is optional.

  5. In the Configuration Setup section, configure the following settings:

    Setting

    Description
    Encryption method and type

    Select the type of encryption algorithm based on the key size for encryption. The following options are available:

    • AES-CBL 128 bit

    • AES-CBL 256 bit

    Encrypt all hardware drives

    Click the toggle button to turn ON or OFF the setting to encrypt all the hardware drives.

    If any hardware drive is already encrypted on a device, editing this configuration will not be applied because encryption process is non-reversible through editing.
    Select Drive(s) Select the drive(s) that needs to be encrypted. Example: C:

    Click +Add to add more drives.

    This field will not be displayed if you have turned ON the Encrypt all hardware drive setting.
    Hardware based encryption for drive types

    Trusted Platform Module (TPM) is a chip on computer’s motherboard that helps in tamper-resistant encryption. If you are using BitLocker encryption or device encryption on a computer with TPM, part of the key is stored in the TPM. You can choose the following hardware based encryption setting options from the drop-down list:

    • Require TPM on startup

    • Require startup PIN with TPM

    • Do not use TPM

    TPM option is only applicable to OS drives and for TPM version 1.2 and above.

    If you apply a hardware based encryption setting to a device, you cannot edit this setting to the device any longer.

    If a device is already set with a BitLocker configuration, then you cannot push a second bitlocker configuration with a different TPM option.
    Select the following configuration checkbox options (optional):

    • Deny write access to fixed drives not protected by BitLocker

    • Deny write access to removable drives not protected by BitLocker
    Pre-encrypted Device Action

    Select any of the following options to define the way to handle the drive that is not fully decrypted or already has a key protector.

    • Stop encryption - Stops the encryption if any of the selected drives are already encrypted.
    • Decrypt the selected drive which doesn't have recovery password store in Ivanti Neurons for MDM - Select this option to apply to only drives which does not have a recovery password in Ivanti Neurons for MDM.
    Recovery Options

    Recovery option is used if a user forgets the password. You can retrieve it from the device details page. you can configure the following recovery options:

    • Disable Recovery

    • Use password and store in AD

    • Use password and store in AD and MobileIron

    Restart interval After the configuration is pushed to the device, it prompts for a restart. The encryption then begins after the restart. To configure the restart interval, from the drop-down list, select the time duration that the device should take to restart. The minimum restart interval is 1 minute and the maximum restart interval is 120 minutes (2 hours).
    Restart Message

    Type the restart message that should be displayed in the device.

    If applicable, the startup password or the startup PIN is also displayed to the user. The user can make a note of it to type it when prompted after restart.

  6. Click Next.

  7. Select any of the following options to distribute the settings to device(s).

    Setting

    Description
    Enable this configuration Selecting the check box allows this configuration to the selected devices. Unselecting the check box removes the configuration, if already applied to devices.
    All Devices Distributes the settings to all the devices.
    No Devices Withholds the settings to be distributed to device(s).
    Custom Distributes the settings for a defined device group. Select the check box next to the device type for which you wish to distribute the settings. You can alternatively search for device groups by typing the device group name in the Search Device Groups search field. If you wish to create a new device group, click the Create New Device Group link at the bottom of the page. See Device Groups for more information.

    As and when you select the device category, you can observe the details (NAME, PHONE#, and DEVICE TYPE) of the list of device users for the selected device category under the Distribution Summary section.

  8. Click Done to push the setting to the selected devices.

Viewing BitLocker Settings

You can view the BitLocker Settings that is set for a device in the Device details page (Devices>Devices>[Device name]) under the BitLocker Settings section. By default, the details are hidden.

You can view the following details by clicking on the view (eye shaped) icon next to each field:

Setting

Description
Recovery Password

When this option is selected, the recovery password is generated by Windows and returned to Ivanti Neurons for MDM after pushing the BitLocker configuration. If the device goes through recovery mode, the user is prompted to type this password.

The same recovery password should be used if multiple drives are encrypted.

Recover password will only be posted if recovery option Use password and store in AD and MobileIron is selected.
PIN Displays the startup 6-digit PIN. The PIN is displayed only if you have selected the option Require Startup PIN with TPM in the BitLocker configuration setup.
Startup Password
The startup password set for the device. The startup password is displayed only if you have selected the option Do not useTPM in the BitLocker configuration settings.
TPM version
Displays the configured TPM version.

Some fields might display N/A based on the settings configured in the BitLocker configuration setup.

  • The status of encryption is displayed under Device encryption status in the Device Details page.
  • The same Startup password or PIN will be used for all the drives of a device for which the BitLocker would be applied.
  • If you are creating a configuration to encrypt a second drive of a device which already has a drive encrypted and recovery password saved, the earlier password will be overwritten. Hence, it is recommended that the Recovery Password option is used only for one drive in a device.