Create a BitLocker Policy for Windows Devices

BitLocker is an encryption feature built into computers running Windows. It secures your data by scrambling it so it can’t be read without using a recovery key. BitLocker differs from most other encryption programs because it uses your Windows login to secure your data; no extra passwords are necessary. Once you’re logged in, you can access your files normally. After you log out, everything’s secured.

JumpCloud’s BitLocker policy lets IT Admins remotely enforce BitLocker Full Disk Encryption (FDE) on JumpCloud-managed devices.

Considerations:

• There are potentially many variations in Windows devices and BIOS policies. It’s best practice to test and verify impactful and fundamental security features. We recommend that admins deploy the BitLocker policy in a controlled fashion, prior to widespread deployment.
• Some devices ship or have configured in their BIOS the ability to Require Physical Presence when modifying the TrustedPlatformModule (TPM). For these devices, a prompt that requires confirmation is shown when an attempt is made to modify and clear the TPM. This confirmation is required for the policy to utilize the TPM in BitLocker. If a user dismisses the confirmation, BitLocker could be enabled and be out of sync with the TPM. This should be tested and managed accordingly.
• Before you remove a device with the BitLocker policy, see Removing Windows Devices with the BitLocker Policy.
• JumpCloud supports international languages in BitLocker encryption. The following languages have been verified by JumpCloud:
  • English
  • German 
  • French
  • Spanish 
  • Chinese 

Encryption Considerations:

• The BitLocker policy leverages AES-256 for its encryption method.
• Due to the security vulnerabilities associated with hardware encryption, the BitLocker policy uses software encryption. For more information, see Microsoft’s BitLocker Encryption Guidance documentation. 
• On the Device Details page, the disk encryption status that displays under both the Details and System Insights drop-downs may take up to 2 hours to populate, and both fields may not populate at the same time. 

Prerequisites:

• Target devices must be running on Windows 10 Pro/Enterprise or Windows 11 Pro/Enterprise. The policy will fail if enabled on Windows 10 Home or Windows 11 Home Editions.
• Trusted Platform Module (TPM) Requirements:
  • Device must have a TPM 2.0 chip present to enable BitLocker.
  • TPM must not have multiple numerical passwords currently stored.
  • TPM must be active.
  • TPM must allow ownership.
  • TPM must not currently be owned.
• External drives, CDs, or DVDs can not be mounted, or else BitLocker can struggle to determine which volume it needs to encrypt when the policy is run.

Admin Experience

IT Admins can create a policy to force BitLocker encryption on managed devices and easily view Recovery Keys. 

To create a BitLocker policy:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > Policies.
3. Under the All tab, click ( + ).
4. Select the Windows tab.
5. Select the BitLocker Full Disk Encryption policy, then click policy.
6. (Optional) Select Encrypt All Non-Removable Drives to encrypt all fixed drives on the devices the policy will be enforced on. 
7. Apply the policy to a group of devices in the Device Groups list, or to an individual device in the Devices list.
8. Click save.

After an Admin saves the policy, JumpCloud enables BitLocker on the devices where this policy is applied.

• When the device’s volume is completely encrypted, you can view a Recovery Key that can be used to unlock all encrypted drives on that device.
• The drive isn’t fully encrypted until the policy result shows that it was applied successfully in the Admin Portal.
• Removing this policy doesn’t disable BitLocker or remove key protectors.

The Admin must wait for the following actions to happen before viewing Recovery Key:

1. A user sees a prompt requesting that they restart their device to enable BitLocker.
2. In the Admin Portal, go to DEVICE MANAGEMENT > Policy Management.
3. Verify that the Policy Status is updated to BitLocker Not Protected – Encryption has been enabled. Device drive encryption will begin on the next boot.
4. The user restarts their device.
5. BitLocker begins encrypting the user’s volume.

After the drive is completely encrypted, Admins can view the Recovery Key:

1. In the Admin Portal, go to DEVICE MANAGEMENT > Policy Management.
2. Select the BitLocker Full Disk Encryption policy, and then select the Devices tab to display a list of encrypted devices.
3. From the list, locate your desired device and click view key to display the device’s Recovery Key. Users who are not administrators on the device can’t disable BitLocker.

Checking Status of BitLocker Encryption

If you have System Insights enabled, you can view the status of your devices’ encryption in the Admin Portal.

To view the encryption status of the drives on a device:

1. In the Admin Portal, go to DEVICE MANAGEMENT > Devices.
2. Select the Devices tab.
3. Select the device, then select the Insights tab.
4. View the status of the disk encryption under System and Hardware. The Encryption Status field displays one of these statuses:
   • Decrypted
   • Encrypted
   • Encrypted (Suspended)
   • Encrypting…(XX%)
   • Decrypting…(XX%)
   • Encryption Paused (XX%)
   • Decryption Paused (XX%)
     

User Experience

After a BitLocker policy is applied, users see the following behavior on their devices:

1. A notification appears requesting that the user restart their device to enable BitLocker.
   

2. After the user starts the device, BitLocker continues to encrypt the drive silently in the background until encryption is complete.

Expected Behavior

• If JumpCloud detects that BitLocker is already enabled and only has one numerical password stored, we capture and store the Numerical Password (Recovery Key) in JumpCloud.
• For custom BitLocker policies (for example, those not requiring TPM, utilizing TPM 1.2, utilizing PIN, etc.) the administrator has the ability to apply and set based on their requirements locally on the device. As long as the Protection Status is set to Protection On, and only one numerical key protector is present, JumpCloud will capture and escrow this key accordingly. This allows Admins to not rely on the policy to set BitLocker, but still utilize JumpCloud for storage of the keys. It’s important to only apply the policy after the device is in this state, and protection is on, otherwise the policy will apply as previously stated. 
• If you select Encrypt All Non-Removable Drives when creating the policy, you will receive a single Recovery Key for all drives. 

Encryption Standard Outcomes

Removing Windows Devices with the BitLocker Policy

If a device is deleted from JumpCloud and it has a BitLocker policy:

• The device volume remains encrypted.
• You could potentially get locked out of the device with no way to recover it. 

You can avoid getting locked out of a Windows BitLocker device by:

• Copying the Recovery Key before you remove it from JumpCloud.
• Storing the copied key in a safe, accessible location.

You can copy keys from the JumpCloud Admin Portal and from the Windows command prompt. 

To copy a Recovery Key from the JumpCloud Admin Portal:

1. In the Admin Portal, go to DEVICE MANAGEMENT > Devices.
2. Select the Devices tab, then select a Windows device with the BitLocker policy.
3. In the Device List, select the Details tab.
4. Under Recovery Key, click view key. 

To copy a Recovery Key from the Windows command prompt:

1. On the Windows device, open a command prompt, running it as an administrator.
2. Run the following command: manage-bde -protectors -get <drive letter>.

To remove a BitLocker recovery key stored in JumpCloud from a device that has its disk fully decrypted:

1. Remove the device from your JumpCloud org.
2. Install the JumpCloud agent manually. See Installing the Windows Agent Manually.

Troubleshooting

See Troubleshoot: BitLocker Policy for Windows Devices.