JumpCloud’s BitLocker policy lets administrators remotely enable and enforce BitLocker Full Disk Encryption for their JumpCloud managed systems. The BitLocker policy also lets admins easily view Recovery Keys for Windows systems that have had this policy applied.
- There are potentially many variations in Windows system and BIOS configurations. It’s best practice to test and verify impactful and fundamental security features. We recommend that administrators deploy the BitLocker policy in a controlled fashion, prior to widespread deployment.
- Some systems ship or have configured in their BIOS the ability to “Require Physical Presence” when modifying the TPM. For these systems, a prompt that requires confirmation is shown when an attempt is made to modify and clear the TPM. This confirmation is required for the policy to utilize the TPM in BitLocker. If a user dismisses the confirmation, BitLocker could be enabled and be out of sync with the TPM. This should be tested and managed accordingly.
- Before you remove a system with the BitLocker policy, read Removing Windows Systems with the BitLocker Policy.
- The BitLocker policy leverages AES-256 for its encryption method.
- Due to the security vulnerabilities associated with hardware encryption, the BitLocker policy uses software encryption.
- Target systems must be running on Windows 8.1 Pro/Enterprise or Windows 10 Pro/Education/Enterprise.
- Trusted Platform Module Requirements:
- System must have a TPM 2.0 chip present to enable BitLocker.
- TPM must not have multiple numerical passwords currently stored.
- TPM must be active.
- TPM must allow ownership.
- TPM must not currently be owned.
- External drives or CD/DVDs may not be mounted in order for BitLocker to be enabled, or else BitLocker can struggle to determine which volume it needs to encrypt when the policy is run.
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to Policies.
- Click ( + ), then select Add Windows Policy. The Configure New Windows Policy panel appears.
- Find the BitLocker Full Disk Encryption policy, then click configure.
- Apply the policy to a Group of Systems on the System Groups tab, or to an individual system on the Systems tab.
- The policy updates to enable BitLocker on the machine. A user sees a prompt indicating that they must reboot their machine to enable BitLocker, and the Policy Status is updated to read "BitLocker Not Protected - Encryption has been enabled. System drive encryption will begin on the next boot."
- After the user reboots their machine, the volume begins encrypting.
- After the drive has completed encrypting, BitLocker is completely enabled for the system. Admins may view the Recovery Key for the device, and Standard users on the system are unable to disable BitLocker.
- After the policy is applied to the system, the user is notified that they need to reboot their machine to enable BitLocker.
- After the user reboots the system, BitLocker continues to encrypt the drive silently in the background until encryption is complete.
- If JumpCloud detects that BitLocker is already enabled and only has one numerical password stored, we capture and store the Numerical Password (Recovery Key) in JumpCloud.
- For custom BitLocker configurations (for example, those not requiring TPM, utilizing TPM 1.2, utilizing PIN, etc.) the administrator has the ability to apply and set based on their requirements locally on the system. As long as the Protection Status is set to Protection On, and only one numerical key protector is present, JumpCloud will capture and escrow this key accordingly. This allows administrators to not rely on the policy to set BitLocker, but still utilize JumpCloud for storage of the keys. It's important to only apply the policy after the system is in this state, and protection is on, otherwise the policy will apply as previously stated.
- After the policy is applied to a system, a Recovery Key is displayed for that respective System in System Details. The drive isn't fully encrypted until the policy result shows that it was applied successfully. Removing this policy won't disable BitLocker or remove key protectors.
- If multiple numerical passwords are detected on the target system, JumpCloud captures the first numerical password that is found.
Be aware that deleting systems with the Windows BitLocker policy also deletes any saved Recovery Keys from JumpCloud. If a system with BitLocker policy is deleted from JumpCloud, it will remain encrypted, and you could potentially get locked out of the system with no way to recover it.
You can avoid getting locked out of a Windows BitLocker system by copying its Recovery Key before you remove it from JumpCloud, and storing the copied key in a safe, accessible location. You can copy keys from the JumpCloud Admin Portal and from the Windows command prompt.
To copy a Recovery Key from the JumpCloud Admin Portal:
- Log in to the Admin Portal: https://console.jumpcloud.com.
- Go to Systems.
- Select a Windows system with the BitLocker policy.
- In the System Panel Details, under Recovery Key, click view key.
To copy a Recovery Key from the Windows command prompt:
- On the Windows system, open the command prompt, running it as an administrator.
- Run the following command: manage-bde -protectors C:get