In this article, you will learn everything about the BitLocker feature found in the Client Management section of the HEIMDAL Dashboard.
1. System Requirements
2. BitLocker Management view
3. BitLocker client specifics
4. BitLocker settings
BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled. BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline. In addition to the TPM, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device that contains a startup key. These security measures provide multifactor authentication and assurance that the device can't start or resume hibernation until the correct PIN or startup key is presented. On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. This implementation requires the user to either:
- Use a startup key, which is a file stored on a removable drive that is used to start the device, or when resuming from hibernation.
- Use a password. This option isn't secure since it's subject to brute force attacks, as there is no password lockout logic. As such, the password option is discouraged and disabled by default.
Neither options don't provide the preboot system integrity verification offered by BitLocker with a TPM.
SYSTEM REQUIREMENTS
BitLocker has the following requirements:
- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker.
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware.
- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class and reading files on a USB drive in the preboot environment.
-
The hard disk must be partitioned with at least two drives:
a. The operating system drive (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system.
b. The system drive contains files required to boot, decrypt, and load the operating system. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:
- Must not be encrypted(if protection is suspended, that does not mean the drive is decrypted).
- Must differ from the operating system drive.
- Must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware.
- It's recommended that it be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. -
When you encrypt the OS Volume with the TPMandPIN method, you need to make sure that Require additional authentication at startup policy is enabled in the Local Computer Policy (Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives), because the HEIMDAL Agent does not perform any changes in the Local Policies.
BitLocker is supported on Windows 10 1607 (and later versions), Windows Server 2012 (and later versions), and can be enabled on the following editions: Windows Pro, Windows Enterprise, Windows Pro Education/SE, Windows Education, Windows Pro/Pro Education/SE, Windows Enterprise.
IMPORTANT
The BitLocker feature is not automatically enabled on Windows Server. However, it can be manually enabled from the Windows Features by an Administrator. After manually enabling BitLocker from the Windows Features, the Windows Server endpoint requires a reboot to make the functionality available.
Encryption can take anywhere from a few minutes to a couple of hours, depending on the amount of data that has been encrypted, the speed of the computer, and whether the process is interrupted by the computer being turned off or going to sleep. The BitLocker OS Drive encryption does not start until the computer is restarted. If work must be completed, it is safe to complete work and save it before restarting. If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
The BitLocker module does not automatically update the Recovery Key when it's modified. To refresh the information, you will need to decrypt and re-encrypt the endpoint. This will ensure that the latest data is transferred to the Dashboard.
BITLOCKER MANAGEMENT view
The BitLocker Management view serves as a central hub for monitoring the BitLocker encryption across various devices. On top, you see a statistic regarding the number of Active servers, the number of Active endpoints, the number of Fully Secured Devices, the number of Partially Secured Devices, and the number of Unsecured Devices. and the number of Unavailable Recovery Keys Devices.
The collected information is placed in the Standard view, where you can see details referring to the Hostname, Username, Last Seen, Protection Status, Recovery Key, and Error status:
The Protection Statuses range between Fully Secured (all volumes on the devices are protected), Partially Secured (at least one volume on the device is not protected), and Unsecured (no volumes on the device are protected). The Recovery Key can be Backed up (the recovery key for all volumes is stored in our database), Partially Backed Up (the recovery keys for some volumes are missing in our database), or Unavailable (no recovery keys for any volume are stored in our database).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information displayed in the Standard view. The Filters functionality allows you to filter entries by Protection Status and/or Recovery Key.
BITLOCKER client specifics
The client's specifics provide detailed information about the client's encryption status. The general TPM information displays the TPM Status (active or inactive), the TPM Manufacturer Name, and the TPM Manufacturer Version. The table below includes information related to the Username associated with the volume, the Volume Name, the Volume Type, the Protection Status, the Encryption Status, the Encryption, the Protector, the Auto-Unlock status, the Volume size, and the Recovery Key.
BITLOCKER settings
Enabling BitLocker Management will enable BitLocker on the endpoints by applying the Group Policy.
BitLocker Management - turn ON/OFF the BitLocker product/service.
Force disk encryption - initiates the encryption process according to the following settings.
OS Volume - encrypts the System drive and displays the Encryption Method and the Key Protector Type that need to be configured.
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit).
- Key Protector Type - allows you to select a Key Protector type (TPM, TPM and PIN or Passphrase).
Data Volumes - encrypts the data drive and displays the Encryption Method and the Key Protector Type that need to be configured.
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit).
- Key Protector Type - comes with the Passphrase Key Protector type.
- Auto-Unlock - automatically unlocks volumes that don't host an operating system when the OS volume is unlocked. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.