JumpCloud’s BitLocker policy lets administrators remotely enable and enforce BitLocker Full Disk Encryption for their JumpCloud managed systems. The BitLocker policy also lets admins easily view Recovery Keys for Windows systems that have had this policy applied.
Important: There are potentially many variations in Windows system and BIOS configurations. It’s best practice to test and verify impactful and fundamental security features. We recommended that administrators deploy the BitLocker policy in a controlled fashion, prior to widespread deployment.
Some systems ship or have configured in their BIOS the ability to “Require Physical Presence” when modifying the TPM. For these systems, a prompt that requires confirmation is shown when an attempt is made to modify and clear the TPM. This confirmation is required for the policy to utilize the TPM in BitLocker. If a user dismisses the confirmation, BitLocker could be enabled and be out of sync with the TPM. This should be tested and managed accordingly.
- The BitLocker policy leverages AES-256 for its encryption method.
- Due to the security vulnerabilities associated with hardware encryption, the BitLocker policy uses software encryption.
- Target systems must be running on Windows 8.1 Pro/Enterprise or Windows 10 Pro/Education/Enterprise.
- Trusted Platform Module Requirements:
- System must have a TPM 2.0 chip present to enable BitLocker.
- TPM must not have multiple numerical passwords currently stored.
- TPM must be active.
- TPM must allow ownership.
- TPM must not currently be owned.
- External drives or CD/DVDs may not be mounted in order for BitLocker to be enabled, or else BitLocker can struggle to determine which volume it needs to encrypt when the policy is run.
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to Policies.
- Click ( + ), then select Add Windows Policy. The Configure New Windows Policy panel appears.
- Find the BitLocker Full Disk Encryption policy, then click configure.
- Apply the policy to a Group of Systems on the System Groups tab, or to an individual system on the Systems tab.
- The policy updates to enable BitLocker on the machine. A user sees a prompt indicating that they must reboot their machine to enable BitLocker, and the Policy Status is updated to read "BitLocker Not Protected - Encryption has been enabled. System drive encryption will begin on the next boot."
- After the user reboots their machine, the volume begins encrypting.
- After the drive has completed encrypting, BitLocker is completely enabled for the system. Admins may view the Recovery Key for the device, and Standard users on the system are unable to disable BitLocker.
- After the policy is applied to the system, the user is notified that they need to reboot their machine to enable BitLocker.
- After the user reboots the system, BitLocker continues to encrypt the drive silently in the background until encryption is complete.
- If JumpCloud detects that BitLocker is already enabled and only has one numerical password stored, we capture and store the Numerical Password (Recovery Key) in JumpCloud.
- For custom BitLocker configurations (for example, those not requiring TPM, utilizing TPM 1.2, utilizing PIN, etc.) the administrator has the ability to apply and set based on their requirements locally on the system. As long as the Protection Status is set to Protection On, and only one numerical key protector is present, JumpCloud will capture and escrow this key accordingly. This allows administrators to not rely on the policy to set BitLocker, but still utilize JumpCloud for storage of the keys. It's important to only apply the policy after the system is in this state, and protection is on, otherwise the policy will apply as previously stated.
- After the policy is applied to a system, a Recovery Key is displayed for that respective System in System Details. The drive isn't fully encrypted until the policy result shows that it was applied successfully. Removing this policy won't disable BitLocker or remove key protectors.
- If multiple numerical passwords are detected on the target system, JumpCloud captures the first numerical password that is found.