In this article, we will deal with frequently asked questions on the HEMDAL BitLocker functionality.
1. What types of volumes can HEIMDAL BitLocker protect?
2. What protector types does BitLocker support?
3. Is the HEIMDAL Agent able to manage volumes that are already protected?
4. How long does it take BitLocker to enforce encryption and protection on the volumes?
5. How does HEIMDAL's BitLocker work?
6. What happens when I disable HEIMDAL BitLocker?
7. What happens when I disable BitLocker's Force disk encryption for OS Volume?
8. What happens when I disable BitLocker's Force disk encryption for Data Volumes?
9. What happens if the BitLocker functionality is not available or enabled on a target endpoint?
10. Can I delay the machine reboot popup?
11. Can I delay the Volume password setup popup?
12. Why is the endpoint not listed on the BitLocker page?
13. What permissions do I need to be able to see a BitLocker recovery key?
What types of volumes can HEIMDAL BitLocker protect?
- system volumes;
- data volumes;
- or both.
The HEIMDAL Agent doesn't support removable media. You can encrypt these devices with BitLocker To Go, but the HEIMDAL Agent won't manage their recovery keys or show them in the HEIMDAL Dashboard. The HEIMDAL Agent doesn't support BitLocker Network Unlock, you can't configure or manage BitLockerNetwork Unlock with HEIMDAL Agent BitLocker functionality. However, if you've configured your infrastructure to use Network Unlock with BitLocker-encrypted computers, HEIMDAL Agent's BitLocker functionality can co-exist with Network Unlock. In case the machine is not prepared for OS volume BitLocker encryption, the HEIMDAL Agent won't initiate the OS volume encryption (an error unprepared OS volume will be displayed in the HEIMDAL Dashboard). In this case, the HEIMDAL Agent will continue collecting volume information (OS and data volumes) and data volumes can be protected.
What protector types does BitLocker support?
- TPMandPIN for OS (System) volume;
- Passphrase for OS volume and Data volume.
Is the HEIMDAL Agent able to manage volumes that are already protected?
No. To be able to manage these volumes, you need to first disable BitLocker in the Windows Settings for those volumes, restart the machine, and then the Heimdal Agent can start managing the volumes as per the settings in the Group Policy being applied to the computer in question.
When the HEIMDAL Agent starts managing computers that are already encrypted with BitLocker, the Agent can only collect information about all the supported volumes (including their recovery keys if they are already protected). The HEIMDAL Agent will apply the protection policy (encrypt and protect the volumes) only for the unprotected volumes. The HEIMDAL Agent can't collect the recovery key and volume size information of volumes when they are locked.
How long does it take BitLocker to enforce encryption and protection on the volumes?
There is a wait time of 2 minutes before starting the module operations (after the machine restart or when Group Policy sync occurs). The 2-minute delay is set to avoid protecting volumes based on incorrect status because BitLocker doesn't immediately return the correct volume status after the machine restart.
How does HEIMDAL's BitLocker work?
The data synchronization routine runs every hour. In this cycle, the HEIMDAL Agent checks if there are any changes since the last cycle.
- it lists all volumes that are eligible for encryption (based on the BitLocker settings in the Group Policy);
- starts the force disk encryption routine, in case of any unprotected volumes listed in the previous step;
- forces disk encryption routine that runs every 5 minutes;
- the HEIMDAL Agent takes each unprotected volume and tries to protect it (reports error in case of failure). This routine will be triggered over and over until all volumes are encrypted then the process will exit.
What happens when I disable HEIMDAL BitLocker?
When you disable the BitLocker from the Group Policy setting, the HEIMDAL Agent stops all BitLocker operations:
- it stops collecting data volume information;
- it stops forcing volume protection;
- already-protected volumes will remain protected (the HEIMDAL Agent does not decrypt the volumes. If the user wants to decrypt them, they will have to do it from Windows).
What happens when I disable the BitLocker's Force disk encryption for OS Volume?
When you disable Force disk encryption for OS Volume, the HEIMDAL Agent continues to collect volume information (OS and Data Volumes), but it does not force encryption of OS volume from now on. If the OS Volume is already protected, it will remain protected (the HEIMDAL Agent won't decrypt the Volume).
What happens when I disable the BitLocker's Force disk encryption for Data Volumes?
When you disable Force disk encryption for Data Volumes, the HEIMDAL Agent continues collecting volume information (OS and Data Volumes), but it does not force encryption of Data Volumes from now on. If the Data Volumes are already protected, they will remain protected (the HEIMDAL Agent won't decrypt the volumes).
What happens if the BitLocker functionality is not available or enabled on a target endpoint?
If BitLocker is not available or enabled, the HEIMDAL Agent will keep prompting a reminder (notification) message.
The HEIMDAL Agent won't initiate any BitLocker operations: it will not collect volume data, nor force volume protection. The reminder message will be triggered each Group Policy check.
Can I delay the machine reboot popup?
Clicking the Cancel button on the dialog popup will dismiss the prompt, but it will trigger again at the next Force disk encryption cycle (every 5 minutes). You will continue to receive notifications reminding you to restart the machine. In order to perform the hardware test, a reboot is required before starting the encryption process. The reboot is only required to encrypt OS Volumes.
Can I delay the Volume password setup popup?
Clicking the Cancel button on the dialog popup will dismiss the prompt, but it will trigger again at the next Force Disk encryption cycle (every 5 minutes). You will continue to receive notifications reminding you to set the password before starting the encryption process.
Why is the endpoint not listed on the BitLocker (under Unified Endpoint Management -> Client Management) page?
There could be several reasons for that:
- the HEIMDAL Agent is not communicating with the HEIMDAL servers or lack of Internet connectivity;
- the Windows version/edition is not supported;
- BitLocker is disabled in the Group Policy settings that is applying to your endpoint;
- the BitLocker functionality is not available or disabled on the endpoint.
What permissions do I need to be able to see a BitLocker recovery key?
To see and copy a recovery key from the HEIMDAL Dashboard, you must have the BitLocker - View the BitLocker Recovery Keys claim, in the Accounts, under the Access Control tab. Recovery keys are designed to assist when users forget their main volume protector or password. BitLocker Key Rotation (which uses a single-use key for unlocking a BitLocker encrypted device and once the key is used, a new key will be generated and backed up on-premises) is not supported right now.